diff --git a/routes/file/_middleware.ts b/routes/file/_middleware.ts
index ef6a1ed..af0af5a 100644
--- a/routes/file/_middleware.ts
+++ b/routes/file/_middleware.ts
@@ -10,9 +10,11 @@ export async function handler(req: Request, ctx: FreshContext) {
         if (allow) headers.set("Allow", allow);
         const origin = req.headers.get("origin");
         if (origin) {
+            const c = m.cfg.cors_credentials_hosts.includes(origin);
             headers.set("Access-Control-Allow-Origin", origin);
             if (allow) headers.set("Access-Control-Allow-Methods", allow);
             headers.set("Access-Control-Allow-Headers", "Content-Type, Range");
+            if (c) headers.set("Access-Control-Allow-Credentials", "true");
             headers.set("Access-Control-Allow-Private-Network", "true");
         }
         return new Response(null, { status: 204, headers });
@@ -21,7 +23,9 @@ export async function handler(req: Request, ctx: FreshContext) {
         const headers = new Headers(res.headers);
         const origin = req.headers.get("origin");
         if (origin) {
+            const c = m.cfg.cors_credentials_hosts.includes(origin);
             headers.set("Access-Control-Allow-Origin", origin);
+            if (c) headers.set("Access-Control-Allow-Credentials", "true");
         }
         return new Response(res.body, {
             status: res.status,