It is a response header that indicates whether or not the response to the request made can be exposed to the page. When the true value is returned, it can be exposed. Here, the credentials can be considered as cookies, authorization headers or TLS client certificates.
When this header is made to be used as a part of a response to a specific preflight request then it signifies whether or not the actual request could be made by use of credentials. It is to be noted that the simple GET requests cannot be tagged as preflighted, and therefore if any request is made for a particular resource along with credentials, and while this header isn’t returned back along with the resource, then response is ignored by browser and not just returned to the web content.
The server should respond holding this very header. The response received having this header with true value indicates that the server helps in allowing cookies (or any other user credentials) so as to be incorporated on the cross-origin requests.
This header works in convergence with “withCredentials” property present on “XMLHttpRequest 2” object. So, both the properties should be set to a true value so that the CORS request succeeds. If “.withCredentials” is set to true value, but there isn’t any “Access-Control-Allow-Credentials” header then request would fail and vice versa.
Enablement in Apache:
The syntax below needs to be added in “.htaccess” file.
Header always set Access-Control-Allow-Credentials true
Enablement in Nginx:
The below mentioned syntax is to be added in the nginx configuration file.
add_header ‘Access-Control-Allow-Credentials’ ‘true’;