Invalid Access-Control-Request-Methods
and Access-Control-Request-Headers
HTTP headers
#1250
Labels
Access-Control-Request-Methods
and Access-Control-Request-Headers
HTTP headers
#1250
Describe the bug
@middy/http-cors
sets the following HTTP response headers:Access-Control-Request-Methods
andAccess-Control-Request-Headers
.middy/packages/http-cors/index.js
Lines 154 to 165 in f50d235
However, the correct spelling of the former header is
Access-Control-Request-Method
(nos
).Additionally, those headers are meant to be set by the client (in the request), not the server (in the response). See MDN and the standard.
This is in contrast with
Access-Control-Allow-Methods
andAccess-Control-Allow-Headers
, which are correctly set.Expected behaviour
This seems to indicate those two headers should not be set at all, removing the
requestMethods
andrequestHeaders
options.Additional context
Note: Express CORS middleware does not set those headers either.
The text was updated successfully, but these errors were encountered: