Access-Control-Allow-Credentials

응답헤더 Access-Control-Allow-Credentials 는  요청의 자격증명 모드(Request.credentials)가 "include" 일때,   브라우저들이 응답을 프로트엔드 자바스트립트 코드에 노출할지에 대해 알려줍니다.

 요청의 자격증명 모드가  (Request.credentials)가  "include" 일 때,  Access-Control-Allow-Credentials 값이 true 이면, 브라우저들은 응답을 프로트엔드 자바스트립트에 응답을 노출 할 것입니다.

자격증명들은 쿠키, authorization 헤더들 또는 TLS 클라이언트 인증서입니다.

사전 요청의 응답으로 사용할 때, 실제 요청에서 자격증명을 이용할 수 있는지에 대해서 알려줍니다. 심플한 GET 요청은 사전 요청하지 않으므로, 자격증명과 함께 리소스에 대한 요청이 만들어 지고,  응답에서 리소스와 함께 이 헤더가 없다면 브라우저는 응답을 무시하고 웹 콘텐츠가 전달 되지 않습니다.

Access-Control-Allow-Credentials 헤더는 header works in conjunction with the XMLHttpRequest.withCredentials property or with the credentials option in the Request() constructor of the Fetch API. For a CORS request with credentials, in order for browsers to expose the response to frontend JavaScript code, both the server (using the Access-Control-Allow-Credentials header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they’re opting in to including credentials.

Header type Response header
Forbidden header name no

Syntax

Access-Control-Allow-Credentials: true

Directives

true
The only valid value for this header is true (case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value to false).

Examples

Allow credentials:

Access-Control-Allow-Credentials: true

Using XHR with credentials:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/', true); 
xhr.withCredentials = true; 
xhr.send(null);

Using Fetch with credentials:

fetch(url, {
  credentials: 'include'  
})

Specifications

Specification Status Comment
Fetch
The definition of 'Access-Control-Allow-Credentials' in that specification.		 Living Standard Initial definition

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Access-Control-Allow-CredentialsChrome Full support 4Edge Full support 12Firefox Full support 3.5IE Full support 10Opera Full support 12Safari Full support 4WebView Android Full support 2Chrome Android Full support YesFirefox Android Full support 4Opera Android Full support 12Safari iOS Full support 3.2Samsung Internet Android Full support Yes

Legend

Full support  
Full support

See also

관련 주제
  1. HTTP
  2. 가이드:
  3. 리소스와 URIs
    1. 웹의 리소스 식별하기
    2. 데이터 URIs
    3. MIME 타입 소개
    4. MIME 타입의 전체 리스트
    5. www와 non-www URL 중에서 선택하기
  4. HTTP 가이드
    1. HTTP 기본
    2. HTTP 개요
    3. HTTP의 진화
    4. HTTP 메시지
    5. 전형적인 HTTP 세션
    6. HTTP/1.x의 연결 관리
    7. 프로토콜 업그레이드 메커니즘
  5. HTTP 보안
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP 접근 제어(CORS)
  7. HTTP 인증
  8. HTTP 캐싱
  9. HTTP 압축
  10. HTTP 조건부 요청
  11. HTTP 컨텐츠 협상
  12. HTTP 쿠키
  13. HTTP range 요청
  14. HTTP 리다이렉트
  15. HTTP 명세
  16. Feature policy
  17. 레퍼런스:
  18. HTTP 헤더
    1. Accept
    2. Accept-Charset
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Patch [Translate]
    6. Accept-Ranges
    7. Access-Control-Allow-Credentials
    8. Access-Control-Allow-Headers
    9. Access-Control-Allow-Methods [Translate]
    10. Access-Control-Allow-Origin
    11. Access-Control-Expose-Headers [Translate]
    12. Access-Control-Max-Age [Translate]
    13. Access-Control-Request-Headers [Translate]
    14. Access-Control-Request-Method [Translate]
    15. Age
    16. Allow [Translate]
    17. Alt-Svc [Translate]
    18. Authorization
    19. Cache-Control
    20. Clear-Site-Data [Translate]
    21. Connection
    22. Content-Disposition [Translate]
    23. Content-Encoding
    24. Content-Language
    25. Content-Length
    26. Content-Location
    27. Content-Range
    28. Content-Security-Policy
    29. Content-Security-Policy-Report-Only [Translate]
    30. Content-Type
    31. Cookie
    32. Cookie2 [Translate]
    33. Cross-Origin-Resource-Policy [Translate]
    34. DNT
    35. Date
    36. Digest [Translate]
    37. ETag
    38. Early-Data [Translate]
    39. Expect
    40. Expect-CT [Translate]
    41. Expires
    42. Feature-Policy [Translate]
    43. Forwarded
    44. From
    45. Host
    46. If-Match [Translate]
    47. If-Modified-Since
    48. If-None-Match [Translate]
    49. If-Range
    50. If-Unmodified-Since [Translate]
    51. Index [Translate]
    52. Keep-Alive
    53. Large-Allocation [Translate]
    54. Last-Modified
    55. Link [Translate]
    56. Location [Translate]
    57. Origin [Translate]
    58. Pragma
    59. Proxy-Authenticate [Translate]
    60. Proxy-Authorization [Translate]
    61. Public-Key-Pins [Translate]
    62. Public-Key-Pins-Report-Only [Translate]
    63. Range
    64. Referer
    65. Referrer-Policy [Translate]
    66. Retry-After
    67. Save-Data [Translate]
    68. Sec-WebSocket-Accept [Translate]
    69. Server
    70. Server-Timing [Translate]
    71. Set-Cookie
    72. Set-Cookie2 [Translate]
    73. SourceMap [Translate]
    74. Strict-Transport-Security
    75. TE [Translate]
    76. Timing-Allow-Origin [Translate]
    77. Tk [Translate]
    78. Trailer [Translate]
    79. Transfer-Encoding
    80. Upgrade-Insecure-Requests [Translate]
    81. User-Agent [Translate]
    82. Vary
    83. Via [Translate]
    84. WWW-Authenticate [Translate]
    85. Want-Digest [Translate]
    86. Warning [Translate]
    87. X-Content-Type-Options [Translate]
    88. X-DNS-Prefetch-Control [Translate]
    89. X-Forwarded-For
    90. X-Forwarded-Host [Translate]
    91. X-Forwarded-Proto
    92. X-Frame-Options
    93. X-XSS-Protection
  19. HTTP 요청 메소드
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH [Translate]
    7. POST
    8. PUT
    9. TRACE [Translate]
  20. HTTP 응답 상태 코드
    1. 100 Continue
    2. 101 Switching Protocols
    3. 103 Early Hints [Translate]
    4. 200 OK
    5. 201 Created
    6. 202 Accepted [Translate]
    7. 203 Non-Authoritative Information [Translate]
    8. 204 No Content [Translate]
    9. 205 Reset Content [Translate]
    10. 206 Partial Content
    11. 300 Multiple Choices [Translate]
    12. 301 Moved Permanently
    13. 302 Found
    14. 303 See Other [Translate]
    15. 304 Not Modified
    16. 307 Temporary Redirect [Translate]
    17. 308 Permanent Redirect [Translate]
    18. 400 Bad Request
    19. 401 Unauthorized
    20. 402 Payment Required [Translate]
    21. 403 Forbidden
    22. 404 Not Found
    23. 405 Method Not Allowed
    24. 406 Not Acceptable [Translate]
    25. 407 Proxy Authentication Required [Translate]
    26. 408 Request Timeout [Translate]
    27. 409 Conflict
    28. 410 Gone [Translate]
    29. 411 Length Required
    30. 412 Precondition Failed [Translate]
    31. 413 Payload Too Large
    32. 414 URI Too Long [Translate]
    33. 415 Unsupported Media Type [Translate]
    34. 416 Range Not Satisfiable
    35. 417 Expectation Failed [Translate]
    36. 418 I'm a teapot
    37. 422 Unprocessable Entity
    38. 425 Too Early [Translate]
    39. 426 Upgrade Required [Translate]
    40. 428 Precondition Required [Translate]
    41. 429 Too Many Requests [Translate]
    42. 431 Request Header Fields Too Large [Translate]
    43. 451 Unavailable For Legal Reasons [Translate]
    44. 500 Internal Server Error
    45. 501 Not Implemented [Translate]
    46. 502 Bad Gateway [Translate]
    47. 503 Service Unavailable
    48. 504 Gateway Timeout [Translate]
    49. 505 HTTP Version Not Supported [Translate]
    50. 511 Network Authentication Required [Translate]
  21. CSP 지시문
    1. CSP: base-uri [Translate]
    2. CSP: block-all-mixed-content [Translate]
    3. CSP: child-src [Translate]
    4. CSP: connect-src [Translate]
    5. CSP: default-src
    6. CSP: font-src [Translate]
    7. CSP: form-action [Translate]
    8. CSP: frame-ancestors [Translate]
    9. CSP: frame-src [Translate]
    10. CSP: img-src
    11. CSP: manifest-src [Translate]
    12. CSP: media-src
    13. CSP: navigate-to [Translate]
    14. CSP: object-src [Translate]
    15. CSP: plugin-types [Translate]
    16. CSP: prefetch-src [Translate]
    17. CSP: referrer [Translate]
    18. report-to
    19. CSP: report-uri [Translate]
    20. CSP: require-sri-for [Translate]
    21. CSP: sandbox [Translate]
    22. CSP: script-src
    23. CSP: script-src-attr [Translate]
    24. CSP: script-src-elem [Translate]
    25. CSP: style-src [Translate]
    26. CSP: style-src-attr [Translate]
    27. CSP: style-src-elem [Translate]
    28. CSP: trusted-types [Translate]
    29. CSP: upgrade-insecure-requests [Translate]
    30. CSP: worker-src [Translate]
  22. CORS 에러
    1. Reason: CORS disabled [Translate]
    2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz' [Translate]
    3. Reason: CORS header 'Access-Control-Allow-Origin' missing [Translate]
    4. Reason: CORS header ‘Origin’ cannot be added [Translate]
    5. Reason: CORS preflight channel did not succeed [Translate]
    6. Reason: CORS request did not succeed
    7. Reason: CORS request external redirect not allowed [Translate]
    8. Reason: CORS request not HTTP [Translate]
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’ [Translate]
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed [Translate]
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’ [Translate]
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ [Translate]
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel [Translate]
  23. Feature-Policy 지시문
    1. Feature-Policy: accelerometer [Translate]
    2. Feature-Policy: ambient-light-sensor [Translate]
    3. Feature-Policy: autoplay [Translate]
    4. Feature-Policy: camera [Translate]
    5. Feature-Policy: display-capture [Translate]
    6. Feature-Policy: document-domain [Translate]
    7. Feature-Policy: encrypted-media [Translate]
    8. Feature-Policy: fullscreen [Translate]
    9. Feature-Policy: geolocation [Translate]
    10. Feature-Policy: gyroscope [Translate]
    11. Feature-Policy: layout-animations [Translate]
    12. Feature-Policy: legacy-image-formats [Translate]
    13. Feature-Policy: magnetometer [Translate]
    14. Feature-Policy: microphone [Translate]
    15. Feature-Policy: midi [Translate]
    16. Feature-Policy: oversized-images [Translate]
    17. Feature-Policy: payment [Translate]
    18. Feature-Policy: picture-in-picture [Translate]
    19. Feature-Policy: speaker [Translate]
    20. Feature-Policy: sync-xhr [Translate]
    21. Feature-Policy: unoptimized-images [Translate]
    22. Feature-Policy: unsized-media [Translate]
    23. Feature-Policy: usb [Translate]
    24. Feature-Policy: vibrate [Translate]
    25. Feature-Policy: vr [Translate]
    26. Feature-Policy: wake-lock [Translate]
    27. Feature-Policy: webauthn [Translate]
    28. Feature-Policy: xr [Translate]