Access-Control-Allow-Credentials
Response header CORS

Overview

Access-Control-Allow-Credentials is the CORS header that specifies whether the browser may hand a response to scripts when a cross-origin request carries credentials such as cookies, HTTP auth, or client certificates.

The only valid value is true; false or any other value is effectively the same as omitting the header.

Details

For a client to send credentials (fetch's credentials: "include", XHR's withCredentials = true), the server response must set this header to true. Without it, the request may still be sent but the browser blocks the response and ignores cookies.

The key constraint: in credentials mode, Access-Control-Allow-Origin cannot be the wildcard * — it must reflect a single origin exactly matching the request origin. Likewise * for Access-Control-Allow-Headers and Access-Control-Allow-Methods is invalid in credentials mode and must be listed explicitly.

A server that dynamically reflects the origin must also emit Vary: Origin so caches don't mix per-origin responses. Getting these three right together (a specific origin, credentials true, and Vary: Origin) is the standard setup for a cookie-authenticated CORS API.

Syntax

Access-Control-Allow-Credentials: true

e.g. Access-Control-Allow-Credentials: true

Notes

Related headers

Related status codes

Specification