We’re developing an API using AWS Lambda functions. We have a single Lambda that handles all OPTIONS requests for CORS preflight checks. This Lambda verifies the Origin against a whitelist and, if valid, responds with:
{
'Access-Control-Allow-Origin': 'https://exampledomain.com',
'Access-Control-Allow-Credentials': 'true'
}
For the actual API request (e.g., a POST or GET), we also want to include the same headers in the response to allow the browser to process the request correctly. However, we’re wondering if it’s safe to simply echo back the Origin value from the incoming request in the actual response instead of performing another whitelist validation.
For example:
OPTIONS request:
The Origin is checked against a whitelist.
If valid, the Lambda responds with a 200 status and the CORS headers.
Actual request (e.g., POST):
Instead of re-checking the Origin, we echo the Origin value in the Access-Control-Allow-Origin header, like so:
{
'Access-Control-Allow-Origin': request.headers.origin,
'Access-Control-Allow-Credentials': 'true'
}
My questions are:
Is this approach secure, assuming the whitelist validation happens during the OPTIONS request?
Are there any potential pitfalls or best practices we should consider here?
Thanks for any advice!