Access-Control-Allow-Credentials
{{HTTPSidebar}}
The HTTP Access-Control-Allow-Credentials {{Glossary("response header")}} tells browsers whether the server allows credentials to be included in cross-origin HTTP requests.
Credentials include cookies, {{glossary("TLS", "Transport Layer Security (TLS)")}} client certificates, or authentication headers containing a username and password.
By default, these credentials are not sent in cross-origin requests, and doing so can make a site vulnerable to {{Glossary("CSRF", "Cross-Site Request Forgery (CSRF)")}} attacks.
A client can ask for credentials to be included in cross-site requests in several ways:
- Using
{{domxref("Window/fetch", "fetch()")}}, by setting thecredentialsoption to"include". - Using
{{domxref("XMLHttpRequest")}}, by setting the{{domxref("XMLHttpRequest.withCredentials")}}property totrue. - Using
{{domxref("EventSource()")}}, by setting the{{domxref("EventSource.withCredentials")}}property totrue.
When credentials are included:
- For
{{glossary("Preflight_request", "preflighted")}}requests: The preflight request does not include credentials. If the server’s response to the preflight request sets theAccess-Control-Allow-Credentialsheader totrue, then the real request will include credentials; otherwise, the browser reports a network error. - For non-preflighted requests: The request will include credentials, and if the server’s response does not set the
Access-Control-Allow-Credentialsheader totrue, the browser reports a network error.
| Header type | `{{Glossary("Response header")}}` |
|---|---|
| `{{Glossary("Forbidden header name")}}` | No |
Syntax
Access-Control-Allow-Credentials: true
Directives
true- : The server allows credentials to be included in cross-origin HTTP requests.
This is the only valid value for this header and is case-sensitive.
If you don’t need credentials, omit this header entirely rather than setting its value to
false.
- : The server allows credentials to be included in cross-origin HTTP requests.
This is the only valid value for this header and is case-sensitive.
If you don’t need credentials, omit this header entirely rather than setting its value to
Examples
Allow credentials:
Access-Control-Allow-Credentials: true
Using {{domxref("Window/fetch", "fetch()")}} with credentials:
fetch(url, {
credentials: "include",
});
Using {{domxref("XMLHttpRequest")}} with credentials:
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/", true);
xhr.withCredentials = true;
xhr.send(null);
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}
See also
{{domxref("XMLHttpRequest.withCredentials")}}{{domxref("Request.Request()", "Request()")}}