Access-Control-Allow-Credentials

The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include".

When a request's credentials mode (Request.credentials) is "include", browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true.

Credentials are cookies, authorization headers or TLS client certificates.

When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.

The Access-Control-Allow-Credentials header works in conjunction with the XMLHttpRequest.withCredentials property or with the credentials option in the Request() constructor of the Fetch API. For a CORS request with credentials, in order for browsers to expose the response to frontend JavaScript code, both the server (using the Access-Control-Allow-Credentials header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they’re opting in to including credentials.

Header type Response header
Forbidden header name no

Syntax

Access-Control-Allow-Credentials: true

Directives

true
The only valid value for this header is true (case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value to false).

Examples

Allow credentials:

Access-Control-Allow-Credentials: true

Using XHR with credentials:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/', true); 
xhr.withCredentials = true; 
xhr.send(null);

Using Fetch with credentials:

fetch(url, {
  credentials: 'include'  
})

Specifications

Specification Status Comment
Fetch
La définition de 'Access-Control-Allow-Credentials' dans cette spécification.
Standard évolutif Initial definition

Browser compatibility

Update compatibility data on GitHub
OrdinateurMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariWebview AndroidChrome pour AndroidFirefox pour AndroidOpera pour AndroidSafari sur iOSSamsung Internet
Access-Control-Allow-CredentialsChrome Support complet 4Edge Support complet 12Firefox Support complet 3.5IE Support complet 10Opera Support complet 12Safari Support complet 4WebView Android Support complet 2Chrome Android Support complet OuiFirefox Android Support complet 4Opera Android Support complet 12Safari iOS Support complet 3.2Samsung Internet Android Support complet Oui

Légende

Support complet  
Support complet

See also