cors

Access-Control-Allow-Credentials

Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.

Access-Control-Allow-Credentials: true

Common directives / values

Directive Purpose
true Allow the browser to expose the response to JS when credentials: 'include' was used.
false / omitted Default — credentialed responses are hidden from JS.

Examples

Access-Control-Allow-Origin: https://app.example.com\nAccess-Control-Allow-Credentials: true

Correct credentialed CORS: specific origin, not *.

Access-Control-Allow-Origin: *\nAccess-Control-Allow-Credentials: true

INVALID — browser rejects; you must echo the exact origin.

Access-Control-Allow-Origin: https://app.example.com\nAccess-Control-Allow-Credentials: true\nAccess-Control-Expose-Headers: X-Request-Id

Credentialed request that also exposes a custom response header.

fetch(url, {credentials: 'include'})

Client side — required for the browser to actually send cookies/auth.

Gotcha

Access-Control-Allow-Origin: * plus Allow-Credentials: true is a spec violation — the browser blocks the response. Also, Allow-Headers/Allow-Methods cannot be * when credentials are used.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors