Why does CORS work for GET but fail for POST on Lambda?

POST requests with JSON bodies trigger a preflight OPTIONS request. If your Lambda or API Gateway does not handle OPTIONS correctly, the preflight fails and the browser blocks the POST. Add an OPTIONS method to your REST API or enable CORS in HTTP API settings.

Do I need to add CORS headers in Lambda if API Gateway handles CORS?

Yes for REST API — API Gateway only adds CORS headers to successful responses unless you configure gatay responses. Error responses (4xx, 5xx) from Lambda must include CORS headers or browsers will show a CORS error even though the real issue is the error itself.

What is the difference between HTTP API and REST API CORS on API Gateway?

HTTP API (v2) has built-in CORS configuration that handles OPTIONS automatically. REST API (v1) requires you to manually create OPTIONS methods and configure integration responses. HTTP API is simpler for CORS.

Fix CORS on AWS Lambda

CORS on AWS Lambda requires configuration in two places: API Gateway (to handle the OPTIONS preflight) and your Lambda function (to return CORS headers on every response). Missing either one causes CORS errors.

Test your Lambda CORS config live →

HTTP API (API Gateway v2) — Recommended

HTTP API has built-in CORS support. Configure it in thole under your API → CORS, or via SAM/CDK:

# SAM template.yaml
MyApi:
  Type: AWS::Serverless::HttpApi
  Properties:
    CorsConfiguration:
      AllowOrigins:
        - "https://yourapp.com"
      AllowMethods:
        - GET
        - POST
        - OPTIONS
      AllowHeaders:
        - Content-Type
        - Authorization
      MaxAge: 600

HTTP API handles OPTIONS preflight automatically when CORS is configured. You do not need to add OPTIONS methods manually.

Lambda Function — Return CORS headers on every response

Even with API Gateway CORS configured, your Lambda function must return CORS headers on every response — including error responses. Otherwise browsers show a CORS error when your function returns a 4xx or 5xx.

# Python
def lambda_handler(event, context):
    return {
        "statusCode": 200,
        "headers": {
            "Access-Control-Allow-Origin": "https://yourapp.com",
            "Access-Control-Aeaders": "Content-Type,Authorization",
            "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
        },
        "body": json.dumps({"message": "ok"})
    }

// Node.js
exports.handler = async (event) => {
    return {
        statusCode: 200,
        headers: {
            "Access-Control-Allow-Origin": "https://yourapp.com",
            "Access-Control-Allow-Headers": "Content-Type,Authorization",
            "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
        },
        body: JSON.stringify({ message: "ok" }),
    };
};

REST API (API Gateway v1)

REST API requires manual OPTIONS method configuration on each resource. In the AWS Console: select your resource → Actions → Enable CORS. This creates the OPTIONS method and sets the required headers.

# After enabling CORS, deploy the stage:
# API Gateway → Your API → Actions → Deploy API → Select stage

⚠ After any change to REST API you must deploy the stage. Changes do not take effect until deployed.

Lambda Function URLs

Lambda Function URLs have their own CORS configuration, separate from API Gateway. Set it when creating or updating the Function URL:

aws lambda update-function-url-config \
  --function-name my-function \
  --cors '{
    "AllowOrigins": ["https://yourapp.com"],
    "AllowMethods": ["GET", "POST"],
    "AllowHeaders": ["Content-Type", "Authorization"],
    "MaxAge": 600
  }'

Common causes of CORS errors on Lambda

OPTIONS preflight returns 403 or 404 — REST API does not have an OPTIONS method on the resource. Enable CORS in the console or add the method manually.

CORS works for GET but fails for POST — POST with a JSON body triggers a preflight. Check that OPTIONS is configured and deployed.

CORS error on 500 responses — Lambda threw an error and the error response does not include Caders. Add CORS headers to your error handling code.

allow_origins=["*"] not working with credentials — Wildcard origin cannot be used when the request includes credentials (cookies or Authorization headers). Specify the exact origin.