allow_credentials

Optional. If True, cross-origin requests can include credentials (cookies, auth headers).

Default False to avoid accidentally exposing secured endpoints to untrusted sites.