Access-Control-Allow-Credentials Header

Table of Content

The Access-Control-Allow-Credentials HTTP response header is part of the Cross-origin Resource Sharing (CORS) mechanism. It tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is include. The server sends it to indicate that the client's credentials, such as cookies, HTTP authentication or client-side SSL certificates, are permitted to be sent via XMLHttpRequest or Fetch API.


Access-Control-Allow-Credentials: <true or false>


The Access-Control-Allow-Credentials header only has one directive:

  • true: Indicates that the site specified in the header's value can share user credentials via cookies, HTTP authentication, or client-side SSL certificates.


  • Allowing credentials in a response:
    Access-Control-Allow-Credentials: true
  • Not allowing credentials in a response:
    Access-Control-Allow-Credentials: false

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify Access-Control-Allow-Credentials header

ModHeader is a browser extension that allows you to modify HTTP request and response headers. To modify the Access-Control-Allow-Credentials header using ModHeader, follow the steps:

  1. Install and open the ModHeader extension.
  2. Click on the '+' button to create a new profile.
  3. Under the 'Response headers' section, click on 'add'.
  4. In the 'Name' field, enter 'Access-Control-Allow-Credentials'.
  5. In the 'Value' field, enter 'true' or 'false' depending on your requirement.
  6. Save the profile, and it is now active.

By modifying the Access-Control-Allow-Credentials header, it helps you test the cross-origin requests with credentials in your application without needing to modify the server's actual configuration.