The HTTP Access-Control-Allow-Credentials response header is part of the CORS protocol to allow cross-origin sharing, and it is sent by the server to indicate to the client that the HTTP response can be shared when the credentials mode is set to
The HTTP Access-Control-Allow-Credentials response header is used by servers to indicate that the client shall share HTTP responses to code when the HTTP request’s credentials mode is
include. In this context, credentials can be Cookies, Authorization headers, or TLS client certificates.
When this is used as part of a preflight request, it signals whether the HTTP request can be made using credentials. For HTTP requests that do not have a preflight mechanism, such as HTTP GET method, it operates differently. In that case, when a HTTP request is made using credentials, and this HTTP header is not included with the resource, then the HTTP response is ignored and not returned.
Without a value of
true, the client will not share the HTTP response when the credentials mode is
The Access-Control-Allow-Credentials response header is sent by a server to inform clients whether they shall share HTTP responses when the credentials mode is set to