You are viewing a preview of this lesson. Sign in to start learning
Back to Web Security: The Modern Browser Model

CORS Credentials and Cookies

Master the interaction between CORS, cookies, and the withCredentials flag for authenticated requests

Introduction: Why Credentials in CORS Matter

Imagine you're logged into your banking app in one browser tab, and you open a financial dashboard in another tab that needs to fetch your transaction data from the bank's API. The dashboard loads, but shows "Access Denied." Why? Because your browser is protecting you from one of the web's most dangerous attack vectors. Understanding how CORS credentials work—and why they're handled differently than regular cross-origin requests—is essential for building secure, functional web applications. And with our free flashcards embedded throughout this lesson, you'll master these critical concepts through active practice.

Here's the paradox that every web developer must navigate: the same cookies and authentication tokens that prove you're a legitimate user also make you vulnerable to cross-site attacks. When a web page makes a cross-origin request, should it include your credentials? The answer isn't as simple as "yes" or "no"—it's "only when both the client and server explicitly agree, with multiple security checks in place."

The Default Behavior: Security by Exclusion

When your browser makes a cross-origin request (a request from one domain to another), it follows a critical security principle: credentials are excluded by default. This means that cookies, HTTP authentication headers, and even TLS client certificates are stripped away before the request leaves your browser.

🎯 Key Principle: CORS requests are "credential-less" by default. This is intentional security design, not a bug.

Why this restrictive default? Consider what would happen without it:

You're logged into bank.com (cookie: session=abc123)
↓
You visit evil.com
↓
evil.com makes a request to bank.com/transfer?to=attacker&amount=1000
↓
Without credential protection:
  → Browser automatically includes session=abc123
  → Bank sees valid session, processes transfer
  → You've been robbed

This attack is called Cross-Site Request Forgery (CSRF), and the default credential exclusion is your first line of defense. By ensuring that cross-origin requests don't automatically include your authentication cookies, browsers prevent malicious sites from impersonating you.

💡 Mental Model: Think of credentials as a VIP backstage pass. By default, when you send someone to another venue (cross-origin request), they don't get to bring your pass. They can only bring it if both you and the other venue explicitly agree to allow it.

Why Credentials Matter in Real Applications

But here's the challenge: most modern web applications need to make authenticated cross-origin requests. Consider these everyday scenarios:

🔧 Single Sign-On (SSO): Your company portal at portal.company.com needs to fetch user data from auth.company.com

🔧 Microservices Architecture: Your frontend at app.example.com communicates with APIs at api.example.com, payments.example.com, and analytics.example.com

🔧 Third-Party Integrations: Your dashboard at dashboard.io fetches data from analytics-api.thirdparty.com using your authenticated account

🔧 CDN-Hosted Assets: Your application at myapp.com makes API calls to api-cdn.global.net that require user context

Without the ability to include credentials in CORS requests, these architectures would be impossible. Users would need to log in separately to every subdomain and service—a terrible user experience that would break the modern web.

The Security Paradox: Necessary but Dangerous

This brings us to the central tension in CORS credential handling: enabling credential sharing is both essential for functionality and increases your attack surface.

Wrong thinking: "I'll just enable credentials for all CORS requests to make everything work."

Correct thinking: "I'll enable credentials only for specific, trusted origins with proper security controls."

When you enable credentialed CORS requests, you're creating a privileged communication channel. This channel allows one origin to act on behalf of a user in another origin—exactly what CSRF attacks exploit. The difference between secure functionality and a critical vulnerability often comes down to a single misconfigured header.

⚠️ Common Mistake: Setting Access-Control-Allow-Origin: * while allowing credentials. This is explicitly forbidden by browsers and won't work—but attempting it reveals a fundamental misunderstanding of the security model. ⚠️

🤔 Did you know? The CORS specification intentionally prevents wildcard origins when credentials are involved. This forces developers to explicitly list trusted origins, creating an audit trail of which domains have privileged access.

The Dual Opt-In Requirement

Here's what makes CORS credentials unique: both the client and server must explicitly consent to credential inclusion. This isn't a one-sided decision.

Client Side (JavaScript):
fetch('https://api.example.com/data', {
  credentials: 'include'  // ← Client opts in
})

Server Side (Response Header):
Access-Control-Allow-Credentials: true  // ← Server opts in
Access-Control-Allow-Origin: https://trusted-app.com  // ← Must be specific!

This dual consent mechanism ensures that:

🔒 The client developer consciously decides to send sensitive credentials

🔒 The server administrator explicitly authorizes which origins can make credentialed requests

🔒 Neither side can unilaterally create a security vulnerability

💡 Real-World Example: A fintech startup once deployed a dashboard that couldn't access their API despite correct credentials. The issue? Their frontend code included credentials: 'include', but their API didn't return Access-Control-Allow-Credentials: true. Both sides must agree—this isn't optional or redundant; it's defense in depth.

What's Coming Next

In the following sections, we'll dive deep into the technical mechanisms that make credentialed CORS work: the exact headers required, how browsers enforce these rules, and the configuration options available. Then we'll explore the most common misconfigurations that lead to security vulnerabilities—and the best practices that keep your applications both functional and secure.

But first, understand this fundamental truth: credentials in CORS aren't just a technical feature—they're a security boundary. Every time you enable them, you're making a trust decision. Make it wisely, make it explicitly, and always make it with both client and server in full agreement.

CORS Credentials Protocol: Headers and Configuration

When a cross-origin request needs to include sensitive authentication information like cookies or HTTP authentication headers, browsers enforce a strict handshake protocol between client and server. This credentials protocol requires explicit cooperation from both sides—the client must request credential inclusion, and the server must explicitly authorize it. Let's explore the technical mechanisms that make this secure exchange possible.

The Server Side: Access-Control-Allow-Credentials

The Access-Control-Allow-Credentials response header is the server's explicit permission slip for browsers to include credentials in cross-origin requests. This header accepts only one valid value: the string "true". No other value (not "1", not "yes", not "TRUE") will work.

Access-Control-Allow-Credentials: true

When this header is present with the value true, the browser knows the server consciously opted into receiving credentialed requests from the specified origin. Without this header, the browser will strip credentials from requests and hide credential-bearing responses from JavaScript, even if the client attempts to send them.

🎯 Key Principle: The credentials flag is binary—either fully enabled with "true" or fully disabled by omission. There's no middle ground.

The Client Side: Requesting Credential Inclusion

JavaScript code must also explicitly opt into sending credentials. Different APIs handle this differently:

XMLHttpRequest uses the withCredentials property:

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open('GET', 'https://api.example.com/user');
xhr.send();

Fetch API uses the credentials option with three possible values:

// Always include credentials, even cross-origin
fetch('https://api.example.com/user', {
  credentials: 'include'
});

// Include only for same-origin requests (default)
fetch('https://api.example.com/user', {
  credentials: 'same-origin'
});

// Never include credentials
fetch('https://api.example.com/user', {
  credentials: 'omit'
});

💡 Remember: Both client AND server must opt in. If either side refuses, no credentials are shared.

The Wildcard Restriction: No Universal Access with Credentials

Here's where CORS gets strict. When credentials are involved, the Access-Control-Allow-Origin header cannot use the wildcard (*). Instead, it must specify the exact origin making the request.

This will fail:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

This will work:

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true

⚠️ Common Mistake 1: Trying to use * for convenience when developing authenticated APIs. The browser will reject the entire CORS exchange and block the response. ⚠️

🎯 Key Principle: The wildcard restriction prevents a malicious site from universally accessing authenticated resources. The server must know and explicitly trust each origin.

Client (https://app.example.com)          Server (https://api.example.com)
         |
         |  GET /user (withCredentials: true)
         |  Cookie: session=abc123
         |------------------------------------>
         |                                     |
         |                  Check: Is origin trusted?
         |                  If yes, respond with:
         |                  Access-Control-Allow-Origin: https://app.example.com
         |                  Access-Control-Allow-Credentials: true
         |<------------------------------------|
         |
Browser validates:
✓ Origin matches exactly (not *)
✓ Credentials header = true
→ Allows JS to read response

Headers and Methods: The Preflight Connection

When credentials are included, the Access-Control-Allow-Headers and Access-Control-Allow-Methods headers gain additional importance. During the preflight OPTIONS request, the server must explicitly permit any custom headers or non-simple methods.

Preflight request:

OPTIONS /api/user
Origin: https://app.example.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Custom-Auth

Required response:

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: PUT, GET, POST
Access-Control-Allow-Headers: X-Custom-Auth, Content-Type

⚠️ Common Mistake 2: Forgetting that wildcards in Access-Control-Allow-Headers or Access-Control-Allow-Methods may be restricted by some browsers when credentials are present. Always test with your exact headers. ⚠️

Cookies are the most common credential type, and their behavior with CORS is governed by both CORS headers and the cookie's SameSite attribute. This attribute defines when browsers will include cookies in cross-site requests:

SameSite=Strict: Cookie is never sent in cross-site requests, even with CORS credentials enabled. The browser blocks it before CORS even enters the picture.

SameSite=Lax (default in modern browsers): Cookie is sent only with "safe" top-level navigations (like clicking a link). API requests from another origin won't include these cookies.

SameSite=None; Secure: Cookie can be sent cross-site, but only if:

  • The cookie also has the Secure attribute (HTTPS only)
  • The CORS credentials protocol is satisfied (both headers present)
  • The browser hasn't blocked third-party cookies entirely

💡 Real-World Example: A social media widget on https://blog.com needs to show if you're logged into https://social.com. The session cookie on social.com must be set as:

Set-Cookie: session=xyz; SameSite=None; Secure; HttpOnly

And the API must respond with:

Access-Control-Allow-Origin: https://blog.com
Access-Control-Allow-Credentials: true

🤔 Did you know? Many browsers are phasing out third-party cookies entirely, even with SameSite=None. This means CORS with credentials may stop working for some users regardless of correct configuration, pushing developers toward alternative authentication patterns like tokens in headers.

📋 Quick Reference Card:

Component 🔧 Setting Required 🎯 Restriction 🔒
Server Header Access-Control-Allow-Credentials: true Must be exactly "true"
Origin Header Exact origin URL No wildcards (*) allowed
Client API withCredentials: true or credentials: 'include' Must explicitly opt in
Cookie Attribute SameSite=None; Secure Required for cross-site use
Connection HTTPS Required for SameSite=None

⚠️ Common Mistake 3: Setting all the CORS headers correctly but forgetting to configure the cookie's SameSite attribute, resulting in cookies being silently dropped by the browser. ⚠️

The CORS credentials protocol creates a secure, explicit consent mechanism between client and server. Every piece must be in place—server headers, client configuration, cookie attributes, and secure connections—for credentials to flow across origins. This defense-in-depth approach protects users from credential theft while enabling legitimate cross-origin authenticated interactions.

Common Pitfalls and Security Best Practices

With the fundamentals of CORS credentials in place, we now turn to the real-world challenges developers face. Understanding these pitfalls is just as important as knowing the correct configuration—perhaps more so, since a single misconfiguration can expose your users to serious security vulnerabilities.

The Dangerous Pattern: Dynamic Origin Reflection

⚠️ Common Mistake 1: The Reflected Origin Vulnerability ⚠️

The most dangerous CORS misconfiguration is dynamically reflecting the requesting origin while enabling credentials. This pattern looks tempting because it seems to solve CORS errors quickly:

// ❌ DANGEROUS - Never do this!
app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', req.headers.origin);
  res.header('Access-Control-Allow-Credentials', 'true');
  next();
});

Why is this catastrophic? This configuration makes your API vulnerable to Cross-Site Request Forgery (CSRF) from any malicious website. An attacker can create a page at evil.com that makes authenticated requests to your API, and the browser will happily include the user's cookies because:

  1. The origin evil.com is reflected in the response header
  2. Credentials are explicitly allowed
  3. The browser sees this as legitimate CORS consent
Attacker's Website (evil.com)
         |
         | fetch('https://yourapi.com/transfer', {
         |   method: 'POST',
         |   credentials: 'include',
         |   body: JSON.stringify({to: 'attacker', amount: 1000})
         | })
         |
         v
    Your API Server
         |
         | ✓ Origin: evil.com reflected
         | ✓ Credentials: true
         | ✓ User's auth cookie included
         |
         v
    Money transferred! 💸

🎯 Key Principle: If you enable credentials, you must never dynamically reflect arbitrary origins. The security model breaks down completely when these two features combine.

Debugging Credentials: Why Aren't My Cookies Sending?

⚠️ Common Mistake 2: Missing withCredentials Flag ⚠️

Even with correct server configuration, credentials won't be sent unless the client explicitly requests it:

// ❌ Wrong - credentials won't be sent
fetch('https://api.example.com/data');

// ✅ Correct - credentials included
fetch('https://api.example.com/data', {
  credentials: 'include'
});

// For XMLHttpRequest
xhr.withCredentials = true;

// For Axios
axios.get('https://api.example.com/data', {
  withCredentials: true
});

💡 Pro Tip: When debugging credential issues, check your browser's Network tab. Look for the request headers—if you don't see Cookie: in the request, the problem is client-side. If cookies are sent but rejected, the problem is server-side CORS headers.

⚠️ Common Mistake 3: Wildcard with Credentials ⚠️

The browser explicitly forbids using Access-Control-Allow-Origin: * when credentials are enabled:

// ❌ Browser will reject this combination
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Credentials', 'true');
// Error: The value of the 'Access-Control-Allow-Origin' header 
// in the response must not be the wildcard '*' when the 
// request's credentials mode is 'include'.

🤔 Did you know? Modern browsers' SameSite cookie attribute can silently block legitimate CORS credential flows, even when CORS is correctly configured!

The SameSite attribute controls when cookies are sent with cross-site requests:

SameSite Value 🔒 Cross-Site Behavior 🎯 CORS Impact
Strict Never sent cross-site Blocks all CORS credentials
Lax (default) Sent only on top-level navigation (GET) Blocks POST/PUT/DELETE CORS requests
None Sent on all requests (requires Secure flag) Compatible with CORS credentials

To use credentials in CORS, cookies must be set with:

// Server setting cookie
res.cookie('session', sessionId, {
  sameSite: 'none',  // Required for CORS
  secure: true,       // Required when SameSite=None
  httpOnly: true      // Security best practice
});

⚠️ Common Mistake 4: Forgetting Secure Flag ⚠️

Browsers reject SameSite=None cookies without the Secure flag, meaning your cookies must be sent over HTTPS. This can cause development environment issues if you're testing on localhost with HTTP.

Secure Implementation Pattern: Origin Whitelisting

Correct thinking: Maintain an explicit allowlist of trusted origins and validate against it:

// ✅ SECURE - Whitelist approach
const ALLOWED_ORIGINS = [
  'https://app.mysite.com',
  'https://admin.mysite.com',
  'https://mobile.mysite.com'
];

app.use((req, res, next) => {
  const origin = req.headers.origin;
  
  if (ALLOWED_ORIGINS.includes(origin)) {
    res.header('Access-Control-Allow-Origin', origin);
    res.header('Access-Control-Allow-Credentials', 'true');
  }
  
  next();
});

💡 Real-World Example: For dynamic subdomain support, use regex validation carefully:

// ✅ Secure pattern for subdomains
const ALLOWED_ORIGIN_PATTERN = /^https:\/\/[a-z0-9-]+\.mysite\.com$/;

function isOriginAllowed(origin) {
  return ALLOWED_ORIGIN_PATTERN.test(origin);
}

if (isOriginAllowed(req.headers.origin)) {
  res.header('Access-Control-Allow-Origin', req.headers.origin);
  res.header('Access-Control-Allow-Credentials', 'true');
}

Real-World Authenticated API Flow

Let's examine a complete, secure implementation:

Client (https://app.mysite.com):

// User login - establishes session cookie
await fetch('https://api.mysite.com/login', {
  method: 'POST',
  credentials: 'include',  // Accept cookies
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ username, password })
});

// Subsequent authenticated request
const response = await fetch('https://api.mysite.com/user/profile', {
  credentials: 'include'  // Send session cookie
});

Server (https://api.mysite.com):

app.post('/login', (req, res) => {
  // Authenticate user...
  
  // Set session cookie
  res.cookie('sessionId', generateSession(), {
    httpOnly: true,
    secure: true,
    sameSite: 'none',  // Required for CORS
    maxAge: 3600000
  });
  
  // Set CORS headers
  res.header('Access-Control-Allow-Origin', 'https://app.mysite.com');
  res.header('Access-Control-Allow-Credentials', 'true');
  
  res.json({ success: true });
});

app.get('/user/profile', authenticateMiddleware, (req, res) => {
  // Session cookie automatically included by browser
  // authenticateMiddleware validates it
  
  res.header('Access-Control-Allow-Origin', 'https://app.mysite.com');
  res.header('Access-Control-Allow-Credentials', 'true');
  
  res.json({ user: req.user });
});

Summary

You now understand the critical security landscape of CORS credentials—knowledge that separates secure implementations from vulnerable ones. You've learned:

📋 Quick Reference Card:

⚠️ Pitfall 🔒 Secure Alternative
Reflecting arbitrary origins Whitelist specific trusted origins
Using wildcard * with credentials Specify exact origin
Missing withCredentials flag Always set credentials: 'include'
Default SameSite cookie behavior Set SameSite=None; Secure
HTTP-only cookies in development Use HTTPS or localhost exceptions

⚠️ Critical Points to Remember:

🎯 Never combine dynamic origin reflection with credentials enabled—this creates a CSRF vulnerability that can bypass all authentication.

🎯 Both client and server must explicitly opt-in—credentials won't flow unless withCredentials: true (client) AND Access-Control-Allow-Credentials: true (server) are set.

🎯 SameSite=None requires Secure flag—modern browsers enforce HTTPS for cross-site cookies, impacting your development workflow.

Practical Next Steps

  1. Audit your existing CORS configurations: Search your codebase for Access-Control-Allow-Origin headers that use variables or reflect request origins. If you find them with credentials enabled, prioritize fixing this critical vulnerability.

  2. Implement CSRF tokens for state-changing operations: Even with proper CORS configuration, defense-in-depth suggests using CSRF tokens for POST/PUT/DELETE requests that modify data.

  3. Test with multiple browsers: Different browsers may handle edge cases differently, especially around SameSite cookie behavior. Chrome, Firefox, and Safari have subtle differences in their CORS and cookie handling that can surprise you in production.

With these best practices in place, you can confidently implement authenticated cross-origin requests that are both functional and secure.

📝
Ready to practice?
This lesson has 15 questions to help you learn
Sign in to start learning

Sign in to access practice questions