Lamba url + .net core api, how to remove duplicate cors 'Access-Control-Allow-Origin'

Question

From the chrome console. Access to fetch at 'https://lambdaurl' from origin 'https://localhost:5002' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

It looks like both the core web api and lambda are adding the 'Access-Control-Allow-Origin':* header and chrome is not happy. Is there a way to configure lambda url to not duplicate the header.

It looks like both the core web api and lambda are adding the 'Access-Control-Allow-Origin':* header and chrome is not happy.  Is there a way to configure lambda url to not duplicate the header.

Accepted Answer

If you handle CORS in your .NET code, you can deactivate the automatic CORS handling for the Lambda function. [This option](https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html#urls-cors) can be deactivated either using AWS Management Console or via AWS CLI. If you deploy your function using IaC (e.g. CloudFormation or SAM), do not set the corresponding configuration there, that means - do not specify the `Cors` or `FunctionUrlConfig` object.

Note that automatic CORS handling is deactivated by default.

You could also read [this blog post](https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/) which explains how to configure Lambda URLs.

Alternatively, you can leverage the Lambda function functionality to automatically handle CORS for you. Then, you should remove the CORS configuration from your .NET Web API initialization code (`AddCors()` and `UseCors()` methods).

Lamba url + .net core api, how to remove duplicate cors 'Access-Control-Allow-Origin'

Relevant content