allow-credentials

allow-credentials

The allow-credentials entry controls whether or not the reverse proxy returns the Access-Control-Allow-Credentials header to clients.
allow-credentials = {true, false}

Description
Indicates to clients Whether authentication is required when accessing resources which are protected by this policy. This will indicate the policy should insert the following header in both pre-flight and cross-origin responses:
Access-Control-Allow-Credentials = true

Set this entry to false or not specifying it omits the header from responses. The Access-Control-Allow-Credentials header is never present with any value other than true.
If this entry is enabled and all origins are allowed (allow-origin is set to '*') the reverse proxy never responds with a wildcard for allowed origins:
Access-Control-Allow-Origin: '*'

When all origins are allowed and credentials are required, the reverse proxy will instead respond with the origin presented in the request as the allowed origin:
Access-Control-Allow-Origin: <origin header from request>

This applies to both pre-flight and cross-origin requests.
Options

yes | true Add the Access-Control-Allow-Credentials, header with a value of true to pre-flight and cross origin requests.
no | false Do not add an Access-Control-Allow-Credentials header to pre-flight and cross origin requests.

Usage: This stanza entry is optional.
Default value false
Example: allow-credentials = false
Parent topic: [cors-policy:policy-name] stanza

yes \| true	Add the Access-Control-Allow-Credentials, header with a value of true to pre-flight and cross origin requests.
no \| false	Do not add an Access-Control-Allow-Credentials header to pre-flight and cross origin requests.