"angular: a wildcard '*' cannot be used in the 'access-control-allow-origin' header when the credentials flag is true" Code Answer


response should only have the accepted headers in access-control-allow-headers, don't use wildcard.

as far as it being safe, note the comment from @jules in this post about cors:

note that sending the http origin value back as the allowed origin will allow anyone to send requests to you with cookies, thus potentially stealing a session from a user who logged into your site then viewed an attacker's page. you either want to send '*' (which will disallow cookies thus preventing session stealing) or the specific domains for which you want the site to work.

see also the following for examples:

wildcard not accepted in access-control-allow-headers

specify headers access-control-allow-headers

alternative approach

you can just set the origin header to:

access-control-allow-origin: *

if you don't need to include cookies in your request remove:

access-control-allow-credentials: true

remove the wildcard from access-control-allow-headers and add authorization and then pass that header as part of your request for authorization, instead of passing credentials in a cookie, ex:

authorization: basic a2lkmt==

also, add the options to allowed methods.

By kites on September 17 2022
Only authorized users can answer the Search term. Please sign in first, or register a free account.