Product
HTTP Interceptor

A Power HTTP Interceptor to Intercept, Record, Debug & Modify HTTP Requests

API Client

A lightweight and secure API Client for faster API Development & Testing

API Mocking

Build frontend faster without waiting for backend.

Solutions
Frontend Web/Mobile Developers

Requestly improves front-end workflows with local JS testing, mocking, and SessionBook debugging.

For QA engineers

QA engineers love Requestly for its features and ease of use, allowing easy edge case testing.

Support Engineer

Support engineers value Requestly for debugging, demoing, and overriding GTM and Adobe scripts.

Backend Developers

Requestly helps in improving back-end development workflows, by enabling testing.

Pricing
Resources
Pricing
Blog
Case Studies
Status
Github
Release Note
Student Programme
🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Access Control Allow Credentials

HTTP Header

The HTTP Access-Control-Allow-Credentials response header indicates to browsers whether the server permits credentials to be included in cross-origin HTTP requests.

Credentials encompass cookies, Transport Layer Security (TLS) client certificates, or authentication headers that carry a username and password.
By default, browsers do not send these credentials in cross-origin requests, and enabling this can increase vulnerability to Cross-Site Request Forgery (CSRF) attacks.

Clients can request credentials to be included in cross-origin requests through various methods:

  • Using fetch(), by setting the credentials option to "include".

  • Using XMLHttpRequest, by setting the XMLHttpRequest.withCredentials property to true.

  • Using EventSource(), by setting the EventSource.withCredentials property to true.

When credentials are included:

  • For preflighted requests: The preflight request does not contain credentials. If the server responds to the preflight with the Access-Control-Allow-Credentials header set to true, then the actual request will include credentials; otherwise, the browser reports a network error.

  • For non-preflighted requests: Credentials will be included, but if the server’s response does not set the Access-Control-Allow-Credentials header to true, the browser reports a network error.

Header typeResponse header
Forbidden request headerNo

Syntax

Access-Control-Allow-Credentials: true

Directives

The server permits the inclusion of credentials in cross-origin HTTP requests. This is the only acceptable value for this header and it is case-sensitive. If credentials are not required, it is better to omit this header entirely rather than setting its value to false.

Example

Examples

Allow credentials:

http
Access-Control-Allow-Credentials: true

Using fetch() with credentials:

js
fetch(url, {
 credentials: "include",
});

Using XMLHttpRequest with credentials:

js
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/", true);
xhr.withCredentials = true;
xhr.send(null);

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Access-Control-Allow-Credentials header. This is especially useful for testing and debugging how your application handles cross-origin requests and credentials during development. Steps to Modify the Access-Control-Allow-Credentials Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Access-Control-Allow-Credentials.
    • In the “Header Value” field, enter true or your preferred value.
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-api.com/*).
  5. Save the rule.

Once set up, Requestly will inject the Access-Control-Allow-Credentials: true header into all matching responses, allowing you to control whether browsers include credentials like cookies in cross-origin requests and test security and functionality accordingly. You might need to modify this header to test how your web application handles authenticated cross-origin requests, ensuring that credentials are sent or blocked as expected for your CORS configuration. This helps improve security and user experience in development.