CORS: The Limitation of Wildcards with Credentials in Access-Control-Allow-Origin

Cross-Origin Resource Sharing (CORS) is a essential security feature that controls how web pages in one domain can request and access resources from another domain. While configuring CORS, you may encounter an error message stating, “Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.” In this blog post, we will dive into the CORS concept, understand the significance of the credentials flag and explore why wildcards are restricted when using credentials.

What is CORS?

CORS is a web security feature implemented by web browsers to prevent malicious websites from making unauthorized cross-origin requests. It allows servers to specify which origins are permitted to access theiere resources and how these resources can be accessed.

The Credentials Flag

The credentials flag in CORS determines whether cross-origin requests can include credentials such as cookies, HTTP authentication, and client certificates. When the credentials flag is set to true, the browser includes credentials in the request. This is essential for scenarios like authenticated API requests.

fetch('', {
    method: 'GET',
    credentials: 'include',

The Issue with Wildcards and Credentials

When using CORS, you can define which origins are allowed to access your resources by specifying the Access-Control-Allow-Origin header. Typically you might see this header with a wildcard (*) to allow any origin to access the resource:

Access-Control-Allow-Origin: *

However, when the credentials flag is set to true on the client-side browser’s do not allow the use of wildcards (*) for Access-Control-Allow-Origin. This restriction exists for security reasons because wildcards with credentials could potentially expose sensitive information to malicious websites.

How to Resolve the Error

To resolve the “Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true” error, you must specify the exact origin that is allowed to make cross-origin requests with credentials. Instead of using a wildcard, set the Access-Control-Allow-Origin header to the specific origin you want to allow:


This way browser ensures that only the specified origin can access the resource with credentials, maintaining security.


CORS is crucial security feature that helps protect web applications from unauthorized cross-origin requests. When working with credentials in CORS, its essential to be aware of the limitation regarding wildcards in the Access-Control-Allow-Origin header. To ensure a secure and error-free cross-origin resource sharing configuration, always specify the exact origin you want to allow when using credentials in your web application. This practice enhances the security of your web application and prevents potential security vulnerabilities