Access-Control-Allow-Credentials
The Access-Control-Allow-Credentials
response header
tells browsers whether to expose the response to frontend JavaScript code when the
request's credentials mode (Request.credentials
) is include
.
When a request's credentials mode (Request.credentials
) is
include
, browsers will only expose the response to frontend JavaScript code
if the Access-Control-Allow-Credentials
value is true
.
Credentials are cookies, authorization headers or TLS client certificates.
When used as part of a response to a preflight request, this indicates whether or not
the actual request can be made using credentials. Note that simple GET
requests are not preflighted, and so if a request is made for a resource with
credentials, if this header is not returned with the resource, the response is ignored
by the browser and not returned to web content.
The Access-Control-Allow-Credentials
header works in conjunction with the
XMLHttpRequest.withCredentials
property or with the
credentials
option in the Request()
constructor of the Fetch API. For a CORS request with credentials, in order for browsers
to expose the response to frontend JavaScript code, both the server (using the
Access-Control-Allow-Credentials
header) and the client (by setting the
credentials mode for the XHR, Fetch, or Ajax request) must indicate that they’re opting
in to including credentials.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
Access-Control-Allow-Credentials: true
Directives
- true
- The only valid value for this header is
true
(case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value tofalse
).
Examples
Allow credentials:
Access-Control-Allow-Credentials: true
Using XHR with credentials:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/', true);
xhr.withCredentials = true;
xhr.send(null);
Using Fetch with credentials:
fetch(url, {
credentials: 'include'
})
Specifications
Specification | Status | Comment |
---|---|---|
Fetch The definition of 'Access-Control-Allow-Credentials' in that specification. |
Living Standard | Initial definition |
Browser compatibility
BCD tables only load in the browser
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.