allow-credentials
The allow-credentials entry controls whether or not the reverse proxy returns the Access-Control-Allow-Credentials header to clients.
Syntax
allow-credentials = {true, false}
Description
Indicates to clients whether authentication is required when accessing resources which are
protected by this policy. This will indicate that the policy should insert the following header in
both pre-flight and cross-origin responses:
Access-Control-Allow-Credentials = true
Note:
- Setting this entry to false or not specifying it omits the header from responses. The Access-Control-Allow-Credentials header is never present with any value other than true.
- If this entry is enabled and all origins are allowed (allow-origin is set to '*') the reverse
proxy never responds with a wildcard for allowed
origins:
Access-Control-Allow-Origin: '*'
When all origins are allowed and credentials are required, the reverse proxy will instead respond with the origin presented in the request as the allowed origin:Access-Control-Allow-Origin: <origin header from request>
This applies to both pre-flight and cross-origin requests.
Options
- yes | true
- Add the Access-Control-Allow-Credentials, header with a value of true to pre-flight and cross origin requests.
- no | false
- Do not add an Access-Control-Allow-Credentials header to pre-flight and cross origin requests.
Usage
This stanza entry is optional.
Default value
false
Example
allow-credentials = false