diff --git a/httpbin/core.py b/httpbin/core.py
index 3e23249..4bd29a1 100644
--- a/httpbin/core.py
+++ b/httpbin/core.py
@@ -51,9 +51,11 @@ app = Flask(__name__, template_folder=tmpl_dir)
 @app.after_request
 def set_cors_headers(response):
     response.headers['Access-Control-Allow-Origin'] = request.headers.get('Origin', '*')
+    response.headers['Access-Control-Allow-Credentials'] = 'true'
 
     if request.method == 'OPTIONS':
-        response.headers['Access-Control-Allow-Credentials'] = 'true'
+        # Both of these headers are only used for the "preflight request"
+        # http://www.w3.org/TR/cors/#access-control-allow-methods-response-header
         response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, PATCH, OPTIONS'
         response.headers['Access-Control-Max-Age'] = '3600'  # 1 hour cache
     return response
diff --git a/test_httpbin.py b/test_httpbin.py
index 1b1e2c0..248ce02 100755
--- a/test_httpbin.py
+++ b/test_httpbin.py
@@ -66,6 +66,12 @@ class HttpbinTestCase(unittest.TestCase):
             response.headers.get('Access-Control-Allow-Origin'), '*'
         )
 
+    def test_set_cors_credentials_headers_after_auth_request(self):
+        response = self.app.get('/basic-auth/foo/bar')
+        self.assertEqual(
+            response.headers.get('Access-Control-Allow-Credentials'), 'true'
+        )
+
     def test_set_cors_headers_after_request_with_request_origin(self):
         response = self.app.get('/get', headers={'Origin': 'origin'})
         self.assertEqual(