CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true

This is a part of security, you cannot do that. If you want to allow credentials then your Access-Control-Allow-Origin must not use *. You will have to specify the exact protocol + domain + port. For reference see these questions :

1. Access-Control-Allow-Origin wildcard subdomains, ports and protocols
2. Cross Origin Resource Sharing with Credentials

Besides * is too permissive and would defeat use of credentials. So set http://localhost:3000 or http://localhost:8000 as the allow origin header.

If you are using CORS middleware and you want to send withCredential boolean true, you can configure CORS like this:

var cors = require('cors');    app.use(cors({credentials: true, origin: 'http://localhost:3000'}));

Expanding on @Renaud idea, cors now provides a very easy way of doing this:

From cors official documentation found here:

"origin: Configures the Access-Control-Allow-Origin CORS header.Possible values:Boolean - set origin to true to reflect the request origin, as defined by req.header('Origin'), or set it to false to disable CORS."

Hence we simply do the following:

const app = express();const corsConfig = {    credentials: true,    origin: true,};app.use(cors(corsConfig));

Lastly I think it is worth mentioning that there are use cases where we would want to allow cross origin requests from anyone; for example, when building a public REST API.

NOTE:I would have liked to leave this as a comment on his answer, but unfortunately I don't have the reputation points.