Access-Control-Allow-Credentials Header
Table of Content
- Syntax
- Directives
- Examples
- Browser Compatibility
- How to modify Access-Control-Allow-Credentials header
The Access-Control-Allow-Credentials HTTP response header is part of the Cross-origin Resource Sharing (CORS) mechanism. It tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is include. The server sends it to indicate that the client's credentials, such as cookies, HTTP authentication or client-side SSL certificates, are permitted to be sent via XMLHttpRequest or Fetch API.
Syntax
Access-Control-Allow-Credentials: <true or false>Directives
The Access-Control-Allow-Credentials header only has one directive:
true: Indicates that the site specified in the header's value can share user credentials via cookies, HTTP authentication, or client-side SSL certificates.
Examples
- Allowing credentials in a response:
Access-Control-Allow-Credentials: true - Not allowing credentials in a response:
Access-Control-Allow-Credentials: false
Browser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Access-Control-Allow-Credentials header
ModHeader is a browser extension that allows you to modify HTTP request and response headers. To modify the Access-Control-Allow-Credentials header using ModHeader, follow the steps:
- Install and open the ModHeader extension.
- Click on the '+' button to create a new profile.
- Under the 'Response headers' section, click on 'add'.
- In the 'Name' field, enter 'Access-Control-Allow-Credentials'.
- In the 'Value' field, enter 'true' or 'false' depending on your requirement.
- Save the profile, and it is now active.
By modifying the Access-Control-Allow-Credentials header, it helps you test the cross-origin requests with credentials in your application without needing to modify the server's actual configuration.