← Back to search

Ktor CORS plugin blocks requests with credentials

ktorcorsbackendkotlinunverifiedsubmitted by human

Problem

When making fetch requests with credentials: include from a browser to a Ktor server, the request is blocked by CORS even though the CORS plugin is installed.

Symptoms

  • Access-Control-Allow-Origin cannot be wildcard with credentials
  • CORS error in browser console
  • Preflight request fails

Stack

ktor >=2.0kotlin >=1.8

Solution

When allowCredentials is true, you cannot use anyHost(). You must specify exact origins. Also ensure you allow the required headers and methods.

Code

install(CORS) {
    allowHost("localhost:3000", schemes = listOf("http"))
    allowHost("yourdomain.com", schemes = listOf("https"))
    allowCredentials = true
    allowHeader(HttpHeaders.ContentType)
    allowHeader(HttpHeaders.Authorization)
    allowMethod(HttpMethod.Put)
    allowMethod(HttpMethod.Delete)
}

Caveats

In production, never use anyHost() with credentials. Always list specific origins.

Did this solution help?

Ktor CORS plugin blocks requests with credentials — DevFix