The Access-Control-Allow-Credentials header indicates whether the browser should include credentials (such as cookies, authorization headers, or TLS client certificates) in cross-origin requests.
When making a credentialed cross-origin request, the browser checks for this header in both the preflight response (if applicable) and the actual response. The server must return Access-Control-Allow-Credentials: true in both responses for the browser to include credentials and expose the response to JavaScript.
Syntax & Values
Access-Control-Allow-Credentials: true
The Access-Control-Allow-Credentials header only accepts the value true to indicate that credentials should be included in cross-origin requests. To disallow credentials, simply omit the header entirely.
Examples
Allowing credentials
Enables cookies and authorization headers to be sent with cross-origin requests. Must be used with a specific origin, not the wildcard *.
Access-Control-Allow-Credentials: true
Common Errors & Fixes
The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.
Ensure the server is configured to send Access-Control-Allow-Credentials: true for credentialed requests. This header must be on the actual response, and also on the preflight (OPTIONS) response if one is made.
Cannot use wildcard in Access-Control-Allow-Origin when credentials support is true.
When Access-Control-Allow-Credentials is true, the Access-Control-Allow-Origin header must specify a single, explicit origin (e.g., https://your-frontend.com), not the wildcard *. Also, consider adding Vary: Origin to the response to ensure correct caching behavior.
Preflight response for a credentialed request is missing the 'Access-Control-Allow-Credentials' header.
If a preflight (OPTIONS) request is made, its response must include Access-Control-Allow-Credentials: true.
Actual response for a credentialed request is missing the 'Access-Control-Allow-Credentials' header.
The response to the actual request (e.g., GET, POST) must include Access-Control-Allow-Credentials: true.
Frequently Asked Questions
Is false allowed as a value for this header?
No, the specification states that the only valid value for the Access-Control-Allow-Credentials header is the literal string true. If you want to indicate that credentials are not allowed or not supported for the request, you should omit the header entirely rather than setting it to false.
What exactly do 'credentials' refer to in this context?
In the context of CORS and Access-Control-Allow-Credentials, 'credentials' most commonly refer to HTTP cookies. However, the term also encompasses other types of authentication information that can be managed by the browser, such as HTTP authentication schemes (e.g., Basic, Digest authentication) and TLS client certificates.