Access-Control-Allow-Credentials

The Access-Control-Allow-Credentials response header tells browsers whether the server allows cross-origin HTTP requests to include credentials.

Credentials are cookies, TLS client certificates, or authentication headers containing a username and password. By default, these credentials are not sent in cross-origin requests, and doing so can make a site vulnerable to CSRF attacks.

A client can ask that credentials should be included in cross-site requests in one of two ways:

If the client has asked for credentials to be included:

  • If the request is preflighted, then the preflight request does not include credentials. If the server's response to the preflight request sets the Access-Control-Allow-Credentials header to true, then the real request will include credentials: otherwise, the browser reports a network error.
  • If the request is not preflighted, then the request will include credentials, and if the server's response does not set the Access-Control-Allow-Credentials header to true, the browser reports a network error.
Header type Response header
Forbidden header name no

Syntax

http
Access-Control-Allow-Credentials: true

Directives

true

The only valid value for this header is true (case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value to false).

Examples

Allow credentials:

http
Access-Control-Allow-Credentials: true

Using fetch() with credentials:

js
fetch(url, {
  credentials: "include",
});

Using XMLHttpRequest with credentials:

js
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/", true);
xhr.withCredentials = true;
xhr.send(null);

Specifications

Specification
Fetch Standard
# http-access-control-allow-credentials

Browser compatibility

BCD tables only load in the browser

See also