Access-Control-Allow-Credentials
The Access-Control-Allow-Credentials response header tells browsers whether the server allows cross-origin HTTP requests to include credentials.
Credentials are cookies, TLS client certificates, or authentication headers containing a username and password. By default, these credentials are not sent in cross-origin requests, and doing so can make a site vulnerable to CSRF attacks.
A client can ask that credentials should be included in cross-site requests in several ways:
- Using
fetch(), by setting thecredentialsoption to"include". - Using
XMLHttpRequest, by setting theXMLHttpRequest.withCredentialsproperty totrue. - Using
EventSource(), by setting theEventSource.withCredentialsproperty totrue.
If the client has asked for credentials to be included:
- If the request is preflighted, then the preflight request does not include credentials. If the server's response to the preflight request sets the
Access-Control-Allow-Credentialsheader totrue, then the real request will include credentials: otherwise, the browser reports a network error. - If the request is not preflighted, then the request will include credentials, and if the server's response does not set the
Access-Control-Allow-Credentialsheader totrue, the browser reports a network error.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
Syntax
Access-Control-Allow-Credentials: true
Directives
true-
The only valid value for this header is
true(case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value tofalse).
Examples
Allow credentials:
Access-Control-Allow-Credentials: true
Using fetch() with credentials:
fetch(url, {
credentials: "include",
});
Using XMLHttpRequest with credentials:
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/", true);
xhr.withCredentials = true;
xhr.send(null);
Specifications
| Specification |
|---|
| Fetch Standard # http-access-control-allow-credentials |
Browser compatibility
BCD tables only load in the browser