cors
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.
Access-Control-Allow-Credentials: true Common directives / values
| Directive | Purpose |
|---|---|
| true | Allow the browser to expose the response to JS when credentials: 'include' was used. |
| false / omitted | Default — credentialed responses are hidden from JS. |
Examples
Access-Control-Allow-Origin: https://app.example.com\nAccess-Control-Allow-Credentials: true Correct credentialed CORS: specific origin, not *.
Access-Control-Allow-Origin: *\nAccess-Control-Allow-Credentials: true INVALID — browser rejects; you must echo the exact origin.
Access-Control-Allow-Origin: https://app.example.com\nAccess-Control-Allow-Credentials: true\nAccess-Control-Expose-Headers: X-Request-Id Credentialed request that also exposes a custom response header.
fetch(url, {credentials: 'include'}) Client side — required for the browser to actually send cookies/auth.
Gotcha
Access-Control-Allow-Origin: * plus Allow-Credentials: true is a spec violation — the browser blocks the response. Also, Allow-Headers/Allow-Methods cannot be * when credentials are used.
Related headers
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Access-Control-Allow-Headers
Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.
Access-Control-Allow-Methods
Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.
Cookie
Client sends previously stored cookies that match the request's origin, path, and Secure/SameSite constraints. All applicable name=value pairs are concatenated into a single header.
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.