Cross-Origin Resource Sharing is a mechanism that allows restricted resources on a web page to be requested from a domain outside of the original. CORS defines a way in which a web service and server can interact to determine whether or not it is safe to allow a cross-origin request.

Enabling CORS for a function allows specifying safe domains, and enabling out-of-the-box support for preflight HTTP requests (via the OPTIONS method) that will return the needed ‘access-control-*’ headers specified below. The actual HTTP request will return the ‘access-control-allow-origin’ method. You can enable CORS for cross-domain HTTP requests with Spotinst Functions. Add the required fields to your serverless.yml file.

Example CORS object:

    - enabled: true
      origin: "http://foo.example"
      headers: "Content-Type,X-PINGOTHER"
      methods: "PUT,POST"


  • enabled: Boolean
    • Specify if CORS is enabled for the function.
    • default: false
  • origin: String
    • Specifies a domain/origin that may access the resource. A wildcard ‘*’ may be used to allow any origin to access the resource.
    • default: ‘*’
  • methods: String
    • Comma-separated list of HTTP methods that are allowed to access the resource. This is used in response to a preflight request.
  • headers: String
    • Comma-separated list of allowed headers.
    • default: ‘Content-Type,Authorization’