← Back to headers
HTTP Header
Access-Control-Allow-Credentials
CORSIndicates whether credentials such as cookies or authorization headers can be included in cross-origin requests.
HTTP header reference, syntax, examples, and developer usage.
What is the Access-Control-Allow-Credentials header?
The Access-Control-Allow-Credentials HTTP header is used to transmit metadata between a client and server as part of HTTP requests or responses.
HTTP headers define how content should be interpreted, cached, authenticated, secured, or processed by browsers and APIs.
Direction
This header may appear in both HTTP requests and responses.
Syntax
Access-Control-Allow-Credentials: true
Example
Access-Control-Allow-Credentials: true
Common use cases
- Cross-site cookie authentication
- Credentialed API requests
- CORS with sessions
Common mistakes
- Using the header in the wrong request or response context
- Sending invalid header values
- Incorrect header syntax
- Assuming the header automatically changes server behaviour