allow-credentials

The allow-credentials entry controls whether or not the reverse proxy returns the Access-Control-Allow-Credentials header to clients.

Syntax

allow-credentials = {true, false}

Description

Indicates to clients whether authentication is required when accessing resources which are protected by this policy. This will indicate that the policy should insert the following header in both pre-flight and cross-origin responses:

Access-Control-Allow-Credentials = true

Note:

Setting this entry to false or not specifying it omits the header from responses. The Access-Control-Allow-Credentials header is never present with any value other than true.
If this entry is enabled and all origins are allowed (allow-origin is set to '*') the reverse proxy never responds with a wildcard for allowed origins:
```
Access-Control-Allow-Origin: '*'
```
When all origins are allowed and credentials are required, the reverse proxy will instead respond with the origin presented in the request as the allowed origin:
```
Access-Control-Allow-Origin: <origin header from request>
```

This applies to both pre-flight and cross-origin requests.

Options

yes | true: Add the Access-Control-Allow-Credentials, header with a value of true to pre-flight and cross origin requests.
no | false: Do not add an Access-Control-Allow-Credentials header to pre-flight and cross origin requests.

Usage

This stanza entry is optional.

Default value

false

Example

allow-credentials = false