diff --git a/news/104.bugfix b/news/104.bugfix
new file mode 100644
index 0000000..28ba451
--- /dev/null
+++ b/news/104.bugfix
@@ -0,0 +1,3 @@
+Explicitly make ``allow_credentials`` required in CORS policy.
+This was the default for Bool fields until and including zope.schema 6.0.1, but in 6.1.0 this changed.
+[maurits]
diff --git a/src/plone/rest/zcml.py b/src/plone/rest/zcml.py
index b41521b..d111fd8 100644
--- a/src/plone/rest/zcml.py
+++ b/src/plone/rest/zcml.py
@@ -186,6 +186,7 @@ class ICORSPolicyDirective(Interface):
         title=u"Support Credentials",
         description=u"""Indicates whether the resource supports user
         credentials in the request.""",
+        required=True,
         default=False,
     )