Skip to content

Fix CORS Wildcard with Credentials Error

DodaTech Updated 2026-06-26 2 min read

In this tutorial, you'll learn about Fix CORS Wildcard with Credentials Error. We cover key concepts, practical examples, and best practices.

You set Access-Control-Allow-Origin: * on your API and also need to send cookies or authorization headers with credentials: 'include' in fetch. The browser blocks the response because the CORS spec forbids wildcard origins when credentials are enabled.

Wrong

The server uses a wildcard origin while the frontend sends credentials.

Server side:

const cors = require('cors');
app.use(cors({ origin: '*' }));

Frontend side:

fetch('https://api.example.com/user', {
  credentials: 'include'
})
.then(res => res.json());
Access to fetch at 'https://api.example.com/user' from origin
'https://app.example.com' has been blocked by CORS policy:
The value of the 'Access-Control-Allow-Origin' header in the response
must not be the wildcard '*' when the request's credentials mode is 'include'.

Replace the wildcard with the exact requesting origin and explicitly allow credentials.

Server side:

const cors = require('cors');
app.use(cors({
  origin: 'https://app.example.com',
  credentials: true,
}));

Or for multiple origins with dynamic resolution:

const allowedOrigins = ['https://app.example.com', 'https://admin.example.com'];

app.use(cors({
  origin: (origin, callback) => {
    if (!origin || allowedOrigins.includes(origin)) {
      callback(null, true);
    } else {
      callback(new Error('Not allowed by CORS'));
    }
  },
  credentials: true,
}));

Frontend side (unchanged):

fetch('https://api.example.com/user', {
  credentials: 'include'
})
.then(res => res.json());

Response headers now show:

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true
Vary: Origin

Prevention

  • Never use * for origin when you need to support credentials. Always specify exact origins.
  • Set credentials: true in the CORS configuration when cookies or Authorization headers are expected.
  • Add Vary: Origin so CDNs cache different responses for different origins correctly.
  • Use a whitelist function to dynamically determine the allowed origin at runtime for multi-domain support.
  • Keep the frontend origin list in environment variables, not hardcoded.
  • Remember that withCredentials for XMLHttpRequest and credentials: 'include' for fetch behave the same way.

DodaTech Tools

Doda Browser blocks credentialed requests with wildcard CORS and logs a detailed explanation in the console. DodaZIP's security audit module scans API configurations for wildcard CORS settings and flags them as violations. Durga Antivirus Pro uses strict origin-plus-credentials CORS for all its cloud synchronization endpoints.

FAQ

### Why does the browser block wildcard with credentials?

The CORS specification forbids Access-Control-Allow-Origin: * when Access-Control-Allow-Credentials: true is present. This prevents a malicious site from making authenticated requests to a server on behalf of the user and reading the response. The server must explicitly trust the requesting origin.

Can I use a dynamic origin with credentials?

Yes. Instead of *, read the Origin header from the request, validate it against an allowlist, and echo it back as Access-Control-Allow-Origin. The Vary: Origin header must also be sent so caches do not serve a response meant for one origin to another.

Does this affect all credentialed requests?

Yes. Any request that includes cookies, HTTP authentication, or client-side TLS certificates must have an explicit origin. This applies to fetch with credentials: 'include', XMLHttpRequest with withCredentials = true, and cross-origin requests that include Set-Cookie in the response.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro