Why my server ignores the authentication headers from an ajax request?

Question

From JavaScript I used:

xhr.setRequestHeader(\"Authorization\", make_base_auth(username,password));

However the HTTP request doesn\'t have

Answer 1

The value * cannot be used for the Access-Control-Allow-Origin header when Access-Control-Allow-Credentials is true. You will need to set Access-Control-Allow-Origin to the value of the Origin itself (i.e. http://127.0.0.1:8081 in this case).

Also note that the auth credentials are not sent on the preflight request. They are only sent on the actual request. The preflight is only used to verify that the CORS request is allowed, it should not do any authentication itself.