diff --git a/app/utils/ApiClient.js b/app/utils/ApiClient.js
index dbc62949..4681d854 100644
--- a/app/utils/ApiClient.js
+++ b/app/utils/ApiClient.js
@@ -1,6 +1,7 @@
 // @flow
 import invariant from "invariant";
 import { map, trim } from "lodash";
+import { getCookie } from "tiny-cookie";
 import stores from "stores";
 import download from "./download";
 import {
@@ -18,6 +19,11 @@ type Options = {
   baseUrl?: string,
 };
 
+// authorization cookie set by a Cloudflare Access proxy
+const CF_AUTHORIZATION = getCookie("CF_Authorization");
+// if the cookie is set, we must pass it with all ApiClient requests
+const CREDENTIALS = CF_AUTHORIZATION ? "same-origin" : "omit";
+
 class ApiClient {
   baseUrl: string;
   userAgent: string;
@@ -91,7 +97,7 @@ class ApiClient {
         body,
         headers,
         redirect: "follow",
-        credentials: "omit",
+        credentials: CREDENTIALS,
         cache: "no-cache",
       });
     } catch (err) {
diff --git a/server/static/index.html b/server/static/index.html
index f302a540..b97ac290 100644
--- a/server/static/index.html
+++ b/server/static/index.html
@@ -12,7 +12,7 @@
       href="/favicon-32.png"
       sizes="32x32"
     />
-    <link rel="manifest" href="/manifest.json" />
+    <link rel="manifest" href="/manifest.json" crossorigin="use-credentials" />
     <link
       rel="search"
       type="application/opensearchdescription+xml"