{"id":247,"hash":"174cb47b405178ecb374182d67c2a3c3df375e0dd3aaeae1c178c0b7da882317","pattern":"CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true","full_message":"I have a setup involving\n\nFrontend server (Node.js, domain: localhost:3000) <---> Backend (Django, Ajax, domain: localhost:8000)\n\nBrowser <-- webapp <-- Node.js (Serve the app)\n\nBrowser (webapp) --> Ajax --> Django(Serve ajax POST requests)\n\nNow, my problem here is with CORS setup which the webapp uses to make Ajax calls to the backend server. In chrome, I keep getting\n\n  Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.\n\ndoesn't work on firefox either.\n\nMy Node.js setup is:\n\nvar allowCrossDomain = function(req, res, next) {\n    res.header('Access-Control-Allow-Origin', 'http://localhost:8000/');\n    res.header('Access-Control-Allow-Credentials', true);\n    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');\n    res.header(\"Access-Control-Allow-Headers\", \"Origin, X-Requested-With, Content-Type, Accept\");\n    next();\n};\n\nAnd in Django I'm using this middleware along with this\n\nThe webapp makes requests as such:\n\n$.ajax({\n    type: \"POST\",\n    url: 'http://localhost:8000/blah',\n    data: {},\n    xhrFields: {\n        withCredentials: true\n    },\n    crossDomain: true,\n    dataType: 'json',\n    success: successHandler\n});\n\nSo, the request headers that the webapp sends looks like:\n\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Headers: \"Origin, X-Requested-With, Content-Type, Accept\"\nAccess-Control-Allow-Methods: 'GET,PUT,POST,DELETE'\nContent-Type: application/json \nAccept: */*\nAccept-Encoding: gzip,deflate,sdch\nAccept-Language: en-US,en;q=0.8\nCookie: csrftoken=***; sessionid=\"***\"\n\nAnd here's the response header:\n\nAccess-Control-Allow-Headers: Content-Type,*\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE\nContent-Type: application/json\n\nWhere am I going wrong?!\n\nEdit 1: I've been using chrome --disable-web-security, but now want things to actually work.\n\nEdit 2: Answer:\n\nSo, solution for me django-cors-headers config:\n\nCORS_ORIGIN_ALLOW_ALL = False\nCORS_ALLOW_CREDENTIALS = True\nCORS_ORIGIN_WHITELIST = (\n    'http://localhost:3000' # Here was the problem indeed and it has to be http://localhost:3000, not http://localhost:3000/\n)","ecosystem":"pypi","package_name":"ajax","package_version":null,"solution":"This is a part of security, you cannot do that. If you want to allow credentials then your Access-Control-Allow-Origin must not use *. You will have to specify the exact protocol + domain + port. For reference see these questions :\n\nAccess-Control-Allow-Origin wildcard subdomains, ports and protocols\nCross Origin Resource Sharing with Credentials\n\nBesides * is too permissive and would defeat use of credentials. So set http://localhost:3000 or http://localhost:8000 as the allow origin header.","confidence":0.95,"source":"stackoverflow","source_url":"https://stackoverflow.com/questions/19743396/cors-cannot-use-wildcard-in-access-control-allow-origin-when-credentials-flag-i","votes":521,"created_at":"2026-04-19T04:41:37.862338+00:00","updated_at":"2026-04-19T04:51:49.899693+00:00"}