fix: do not send Access-Control-Allow-Credentials

coderbyheart · coderbyheart · commit 8ea80151a7b3 · 2025-10-06T14:26:05.000+02:00
Cookies to not reliably work.

BREAKING CHANGE: this removes the Access-Control-Allow-Credentials
diff --git a/src/corsHeaders.spec.ts b/src/corsHeaders.spec.ts
@@ -11,7 +11,6 @@ void describe('corsHeaders()', () => {
 				},
 			}),
 			{
-				'Access-Control-Allow-Credentials': true,
 				'Access-Control-Allow-Headers':
 					'accept, authorization, content-type, if-match, origin',
 				'Access-Control-Expose-Headers':
diff --git a/src/corsHeaders.ts b/src/corsHeaders.ts
@@ -24,15 +24,13 @@ export const corsHeaders = (
 	allowedMethods = ['PUT', 'DELETE', 'POST', 'GET', 'PATCH'],
 	cacheForSeconds = 600,
 ): {
-	'Access-Control-Allow-Credentials': true
 	'Access-Control-Allow-Headers': string
 	'Access-Control-Expose-Headers': string
 	'Access-Control-Allow-Methods': string
 	'Access-Control-Allow-Origin': string
 	'Access-Control-Max-Age': number
 	Vary: 'Origin'
 } => ({
-	'Access-Control-Allow-Credentials': true,
 	'Access-Control-Allow-Origin': origin({ headers }),
 	'Access-Control-Allow-Methods': allowedMethods.join(', '),
 	'Access-Control-Allow-Headers': Array.from(

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,6 @@ void describe('corsHeaders()', () => {`
`11`	`11`	`},`
`12`	`12`	`}),`
`13`	`13`	`{`
`14`		`- 'Access-Control-Allow-Credentials': true,`
`15`	`14`	`'Access-Control-Allow-Headers':`
`16`	`15`	`'accept, authorization, content-type, if-match, origin',`
`17`	`16`	`'Access-Control-Expose-Headers':`