The Error
Access to fetch at 'https://api.com' from origin 'https://app.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header is '' which must be 'true' when the request's credentials mode is 'include'Quick Fix - 2 Minutes
// Program.cs - Dev Fix for CORS with credentials
builder.Services.AddCors(options =>
{
options.AddPolicy("AllowApp", policy =>
{
policy.WithOrigins("https://app.com")
.AllowCredentials() // Dev Fix: Required for cookies/auth
.AllowAnyHeader()
.AllowAnyMethod();
});
});
var app = builder.Build();
app.UseCors("AllowApp"); // Before UseAuthorization
app.UseAuthorization();
Why This Happens
Browsers block credentialed requests if server doesn't explicitly set Access-Control-Allow-Credentials: true. You cannot use AllowAnyOrigin() with credentials. .NET 8 enforces this harder than .NET 6.
Real-World Scenario: SignalR + Cookies Breaks CORS
#1 reason devs hit this. SignalR needs credentials for auth, but CORS blocks it:
// WRONG: Browser rejects - AllowAnyOrigin + AllowCredentials illegal
builder.Services.AddCors(options =>
{
options.AddPolicy("AllowAll", policy =>
{
policy.AllowAnyOrigin() // Browsers block this
.AllowCredentials() // When credentials=true
.AllowAnyHeader()
.AllowAnyMethod();
});
});
// RIGHT: Exact origins + credentials for SignalR + cookies
builder.Services.AddCors(options =>
{
options.AddPolicy("SignalRPolicy", policy =>
{
policy.WithOrigins(
"https://app.com",
"https://admin.app.com",
"http://localhost:3000" // Dev Fix: Include dev URL
)
.AllowCredentials() // Dev Fix: Required for SignalR + auth cookie
.AllowAnyHeader()
.AllowAnyMethod()
.SetIsOriginAllowedToAllowWildcardSubdomains(); // Optional: *.app.com
});
});
var app = builder.Build();
app.UseCors("SignalRPolicy"); // Must be before MapHub
app.MapHub<ChatHub>("/hub/chat");
app.UseAuthentication();
app.UseAuthorization();
Client-side fix too: React/Angular must send credentials or browser drops cookie.
// JavaScript fetch
fetch('https://api.com/users', {
method: 'GET',
credentials: 'include' // Dev Fix: Sends cookies
});
// Axios
axios.defaults.withCredentials = true;
// SignalR
const connection = new signalR.HubConnectionBuilder()
.withUrl("https://api.com/hub/chat", {
withCredentials: true // Dev Fix: Critical for SignalR
})
.build();
Related Fixes You Should Know
Credentials CORS bugs cascade into these:
- Basic CORS Error Fix - Start here if you don't use cookies. Covers middleware order and preflight. Credentials is layer 2.
- JWT Signature Failed - CORS allows the request but token isn't sent.
Authorizationheader blocked unless you add.WithHeaders("Authorization")or.AllowAnyHeader(). - SignalR CORS Error - SignalR long-polling fails without
.AllowCredentials(). WebSockets work but fallback to XHR breaks. - Cookie SameSite None Secure - Chrome blocks cookies on cross-site requests unless
SameSite=None; Secure. CORS passes but cookie never sent.
FAQ
Q: Can I use SetIsOriginAllowed(origin => true) instead of WithOrigins?
Only for dev. SetIsOriginAllowed(origin => true) + AllowCredentials() reflects any origin. This is a security risk in prod. Use exact WithOrigins() for production.
Q: Why does CORS work for GET but fail for POST with credentials?
POST with JSON triggers preflight OPTIONS. Preflight must return Access-Control-Allow-Credentials: true. If UseCors() is after UseAuthorization(), preflight fails 401 before CORS headers added.
Best Practice for .NET 8
- Never use
AllowAnyOrigin()+AllowCredentials()together - browser rejects it - List exact origins in
WithOrigins() app.UseCors()must be beforeUseAuthentication()andUseAuthorization()- For cookies: client must use
fetch(url, { credentials: 'include' })
No comments yet. Be the first to share your thoughts!