i have a custom cors policy like below, where I am setting support-credentials to false

public class CorsProviderFactory : ICorsPolicyProviderFactory
{
    //https://msdn.microsoft.com/en-us/magazine/dn532203.aspx

    public ICorsPolicyProvider GetCorsPolicyProvider(
        HttpRequestMessage request)
    {
        return new CorsPolicyProviderCustom();
    }

    public class CorsPolicyProviderCustom : Attribute, ICorsPolicyProvider
    {
        private readonly CorsPolicy _policy;

        public CorsPolicyProviderCustom()
        {
            // Create a CORS policy.
            _policy = new CorsPolicy
            {
                AllowAnyMethod = true,
                AllowAnyHeader = true,
                AllowAnyOrigin = true,
                SupportsCredentials = false
            };

            // Magic line right here
            _policy.Origins.Add("*");
            _policy.Methods.Add("*");
        }

        public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            return Task.FromResult(_policy);
        }
    }
}

and used it like :

    public static HttpConfiguration Register()
    {
        var config = new HttpConfiguration();
        config.SetCorsPolicyProviderFactory(new CorsProviderFactory());
        config.EnableCors();

       .................
 }

but even then in the postman response i see, support-credentials as true

how can I get support-credentials as false, the breakpoint does reaches to the custom policy part, so why is it that its not working :(

For security reasons you can not use Access-Control-Allow-Credentails with Access-Control-Allow-Origin set to *.

You must specify the exact domain(s) in Access-Control-Allow-Origin, OR set Access-Control-Allow-Credentails to false.