Access-Control-Allow-Credentials

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.

The HTTP Access-Control-Allow-Credentials response header tells browsers whether the server allows credentials to be included in cross-origin HTTP requests.

Credentials include cookies, Transport Layer Security (TLS) client certificates, or authentication headers containing a username and password. By default, these credentials are not sent in cross-origin requests, and doing so can make a site vulnerable to Cross-Site Request Forgery (CSRF) attacks.

A client can ask for credentials to be included in cross-site requests in several ways:

When credentials are included:

  • For preflighted requests: The preflight request does not include credentials. If the server's response to the preflight request sets the Access-Control-Allow-Credentials header to true, then the real request will include credentials; otherwise, the browser reports a network error.
  • For non-preflighted requests: The request will include credentials, and if the server's response does not set the Access-Control-Allow-Credentials header to true, the browser reports a network error.
Header type Response header
Forbidden header name No

Syntax

http
Access-Control-Allow-Credentials: true

Directives

true

The server allows credentials to be included in cross-origin HTTP requests. This is the only valid value for this header and is case-sensitive. If you don't need credentials, omit this header entirely rather than setting its value to false.

Examples

Allow credentials:

http
Access-Control-Allow-Credentials: true

Using fetch() with credentials:

js
fetch(url, {
  credentials: "include",
});

Using XMLHttpRequest with credentials:

js
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/", true);
xhr.withCredentials = true;
xhr.send(null);

Specifications

Specification
Fetch
# http-access-control-allow-credentials

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
Access-Control-Allow-Credentials

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support

See also