๐ CORS Credentials
March 28, 2026 ยท View on GitHub
Controls how Ketesa sends cookies and credentials when making API requests. Most deployments don't need to touch this โ the default works fine for standard setups. You'll typically only need it when adding a reverse-proxy authentication layer in front of your homeserver.
When to change it:
includeโ use this when you have cookie-based auth in front of your homeserver (e.g., ForwardAuth with Authelia). Cookies will be forwarded with every request regardless of origin.omitโ use this if your setup explicitly must not send any cookies (rare; usually for strict security policies).same-originโ the default; works for the vast majority of deployments.
โ๏ธ Configuration
| Value | When to use | Behavior |
|---|---|---|
same-origin (default) | Standard deployments | Cookies sent only for same-origin requests |
include | Cookie-based auth (ForwardAuth, Authelia, etc.) | Cookies sent with every request |
omit | Strict no-cookie policies | Cookies never sent |
config.json
{
"corsCredentials": "include"
}
/.well-known/matrix/client
{
"cc.etke.ketesa": {
"corsCredentials": "include"
}
}