diff --git a/app/controllers/api/application_controller.rb b/app/controllers/api/application_controller.rb
index 605b129..2f639c1 100644
--- a/app/controllers/api/application_controller.rb
+++ b/app/controllers/api/application_controller.rb
@@ -3,6 +3,7 @@ class Api::ApplicationController < ApplicationController
 
   def cor_filter
     headers['Access-Control-Allow-Origin'] = request.headers['Origin']
+    headers['Access-Control-Allow-Credentials'] = 'true'
   end
 
   def cor_preflight
diff --git a/spec/integration/api/cross_origin_request_spec.rb b/spec/integration/api/cross_origin_request_spec.rb
index bf66e46..6492626 100644
--- a/spec/integration/api/cross_origin_request_spec.rb
+++ b/spec/integration/api/cross_origin_request_spec.rb
@@ -24,6 +24,7 @@ feature 'API cross origin request' do
     )
 
     response.headers['Access-Control-Allow-Origin'].should == origin
+    response.headers['Access-Control-Allow-Credentials'].should == 'true'
     response.headers['Access-Control-Allow-Methods'].should ==
       'GET, POST, PUT, DELETE'
     response.headers['Access-Control-Allow-Headers'].should ==
@@ -37,5 +38,6 @@ feature 'API cross origin request' do
     }
 
     response.headers['Access-Control-Allow-Origin'].should == origin
+    response.headers['Access-Control-Allow-Credentials'].should == 'true'
   end
 end