Session cookie not sent with XHR reqs

My React app (from is embedded in the website, but the requests sent from the React app don’t include the associated session cookie.

I have a workaround that involves adding the following headers to the server and XHR requests sent from the React app with withCredentials: true:

Access-Control-Allow-Credentials: true

However, this limits me to specifying a particular site in Access-Control-Allow-Origin, as the React app will be embedded in multiple sites.

Is there any way to ensure the session cookie is always sent from the React app?

Yes, you can set the credentials option to include in the fetch or axios requests made by the React app. This will ensure that the session cookie is always sent with the request, regardless of the origin. Here’s an example:

fetch('', {
  method: 'GET',
  credentials: 'include'

Note that this requires the server to allow credentials by setting Access-Control-Allow-Credentials: true.