Access-Control-Allow-Credentials response header
request's credentials mode (
When a request's credentials mode (
Access-Control-Allow-Credentials value is
Credentials are cookies, authorization headers, or TLS client certificates.
When used as part of a response to a preflight request, this indicates whether or not
the actual request can be made using credentials. Note that simple
requests are not preflighted. So, if a request is made for a resource with
credentials, and if this header is not returned with the resource, the response is ignored
by the browser and not returned to the web content.
Access-Control-Allow-Credentials header works in conjunction with the
XMLHttpRequest.withCredentials property or with the
credentials option in the
constructor of the Fetch API. For a CORS request with credentials, for browsers
Access-Control-Allow-Credentials header) and the client (by setting the
credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting
into including credentials.
The only valid value for this header is
true(case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value to
|Fetch Standard |
BCD tables only load in the browser