Home

withCredentials

withCredentials is a boolean property of the XMLHttpRequest (XHR) object that controls whether cross-origin requests should be made with credentials. Credentials can include cookies, authorization headers, and TLS client certificates. The property does not affect same-origin requests in most environments; it mainly governs cross-origin behavior. By default, withCredentials is false, meaning cross-origin requests do not include credentials unless explicitly enabled.

When withCredentials is set to true, the browser will include cookies and other credentials in cross-origin

On the server side, enabling credentials requires corresponding CORS (Cross-Origin Resource Sharing) support. The server must

Related behavior includes the handling of preflight requests. Cross-origin requests that include credentials may trigger an

In modern web APIs, the Fetch API provides a similar capability via a credentials option (for example,

requests
to
the
target
server.
This
is
commonly
used
when
a
web
application
needs
to
maintain
authenticated
sessions
across
origins
or
when
a
server
relies
on
cookies
for
user
state.
Enabling
credentials
can
impact
browser
privacy
and
security,
so
it
should
be
used
only
with
trusted
origins
and
appropriate
server
configurations.
respond
with
Access-Control-Allow-Credentials:
true
and
must
specify
an
explicit
origin
in
Access-Control-Allow-Origin
(wildcards
are
not
allowed
when
credentials
are
allowed).
If
these
headers
are
not
present
or
misconfigured,
the
browser
will
not
expose
the
response
to
the
client
and
the
request
may
fail.
OPTIONS
preflight,
and
the
server
must
respond
with
suitable
CORS
headers
to
permit
the
actual
request.
credentials:
include),
rather
than
the
withCredentials
property.
Developers
should
understand
both
mechanisms
when
working
with
cross-origin
authentication
and
session
management.