The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'

Hi everyone!

To the point, I have an application is meteor and I have a doubt. Why when I set the headers to make a request to another domain I get a message that the value of the Access-Control-Allow-Origin header should not be ‘*’ If I have my credentials header in true ?.
If clearly the value of my Access-Control-Allow-Origin header is ‘localhost: 3000’.
I do not understand if you tell me one thing and it clearly is not. Can somebody help me? thank you all people very much.


import { Meteor } from 'meteor/meteor';

Meteor.startup(() => {
  WebApp.connectHandlers.use((req, res, next) => {
    res.setHeader("Access-Control-Allow-Origin", "http://localhost:3000");
    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With, x-request-metadata');
    res.setHeader('Access-Control-Allow-Credentials', "true");