Access-Control-Allow-Credentials
The HTTP Access-Control-Allow-Credentials
response header tells browsers whether the server allows credentials to be included in cross-origin HTTP requests.
Credentials include cookies, Transport Layer Security (TLS) client certificates, or authentication headers containing a username and password. By default, these credentials are not sent in cross-origin requests, and doing so can make a site vulnerable to Cross-Site Request Forgery (CSRF) attacks.
A client can ask for credentials to be included in cross-site requests in several ways:
- Using
fetch()
, by setting thecredentials
option to"include"
. - Using
XMLHttpRequest
, by setting theXMLHttpRequest.withCredentials
property totrue
. - Using
EventSource()
, by setting theEventSource.withCredentials
property totrue
.
When credentials are included:
- For preflighted requests: The preflight request does not include credentials.
If the server's response to the preflight request sets the
Access-Control-Allow-Credentials
header totrue
, then the real request will include credentials; otherwise, the browser reports a network error. - For non-preflighted requests: The request will include credentials, and if the server's response does not set the
Access-Control-Allow-Credentials
header totrue
, the browser reports a network error.
Header type | Response header |
---|---|
Forbidden header name | No |
Syntax
Access-Control-Allow-Credentials: true
Directives
true
-
The server allows credentials to be included in cross-origin HTTP requests. This is the only valid value for this header and is case-sensitive. If you don't need credentials, omit this header entirely rather than setting its value to
false
.
Examples
Allow credentials:
Access-Control-Allow-Credentials: true
Using fetch()
with credentials:
fetch(url, {
credentials: "include",
});
Using XMLHttpRequest
with credentials:
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/", true);
xhr.withCredentials = true;
xhr.send(null);
Specifications
Specification |
---|
Fetch Standard # http-access-control-allow-credentials |
Browser compatibility
BCD tables only load in the browser