Access-Control-Allow-Credentials
The HTTP Access-Control-Allow-Credentials response
header indicates whether the browser exposes the response
to front-end JavaScript when the request's credentials mode
is include. This header is part of the CORS
protocol.
Usage
Cross-origin requests default to excluding credentials such
as cookies,
Authorization headers, and TLS client
certificates. When a client sets the credentials mode to
include, the server must return
Access-Control-Allow-Credentials with a value of true
for the browser to expose the response body and headers to
the calling script.
During a preflight exchange, this header signals whether
the actual request is permitted to carry credentials. If
the preflight response omits the header or sets a value
other than true, the browser blocks the credentialed
request entirely.
For simple CORS requests (those without a preflight step, such as a basic GET), the browser still checks the header after receiving the response. If the header is missing, the response is silently discarded and never reaches the calling code.
Note
When credentials are included, the
Access-Control-Allow-Origin
header must specify an explicit origin. The wildcard
* is not permitted alongside credentialed requests.
Values
true
The only valid value. Including the header with true
tells the browser to expose the response when credentials
are present.
Access-Control-Allow-Credentials: true
Omitting the header or sending any other value has the same effect: the browser treats the response as non-credentialed and withholds the body from JavaScript.
Example
A front-end application sends a cross-origin fetch with credentials included. The server responds with the credentials header, an explicit origin, and a Vary directive so caches distinguish between origins.
Access-Control-Allow-Origin: https://app.example.re
Access-Control-Allow-Credentials: true
Vary: Origin
During a preflight for a credentialed POST request, the server confirms both the allowed method and credential support.
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.re
Access-Control-Allow-Methods: POST
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 3600
Vary: Origin
Takeaway
The Access-Control-Allow-Credentials header with a
value of true permits browsers to share cross-origin
responses with JavaScript when the request carries
credentials such as cookies or
Authorization tokens.
See also
- Fetch Standard: HTTP Access-Control-Allow-Credentials
- Access-Control-Allow-Origin
- Access-Control-Allow-Headers
- Cookie
- Authorization
- CORS
- HTTP headers