diff --git a/packages/fxa-auth-client/lib/client.ts b/packages/fxa-auth-client/lib/client.ts
index 99217660dde..0248b9757a6 100644
--- a/packages/fxa-auth-client/lib/client.ts
+++ b/packages/fxa-auth-client/lib/client.ts
@@ -264,14 +264,33 @@ export default class AuthClient {
     }
 
     extraHeaders.set('Content-Type', 'application/json');
+
+    // Only include credentials for specific endpoints that may trigger WAF challenges
+    // Only enable for HTTPS to avoid node-fetch v2 compatibility issues in tests
+    const isHttps = new URL(this.uri).protocol === 'https:';
+    const includeCredentials =
+      isHttps &&
+      ['/account/create', '/password/forgot/send_otp'].some((endpoint) =>
+        path.includes(endpoint)
+      );
+
+    const requestOptions: RequestInit = {
+      method,
+      headers: extraHeaders,
+      body: cleanStringify(payload),
+    };
+
+    // Only set credentials property for HTTPS to avoid node-fetch v2 issues
+    if (isHttps) {
+      requestOptions.credentials = includeCredentials
+        ? 'include'
+        : 'same-origin';
+    }
+
     try {
       const response = await fetchOrTimeout(
         this.url(path),
-        {
-          method,
-          headers: extraHeaders,
-          body: cleanStringify(payload),
-        },
+        requestOptions,
         this.timeout
       );
       const result = JSON.parse(await response.text());
diff --git a/packages/fxa-auth-server/lib/routes/account.ts b/packages/fxa-auth-server/lib/routes/account.ts
index e466b205193..be1a923ec2a 100644
--- a/packages/fxa-auth-server/lib/routes/account.ts
+++ b/packages/fxa-auth-server/lib/routes/account.ts
@@ -417,7 +417,7 @@ export class AccountHandler {
               service: form.service || query.service,
             });
           } else {
-            console.debug('falling back')
+            console.debug('falling back');
             const sent = await this.mailer.sendVerifyEmail([], account, {
               code: account.emailCode,
               service: form.service || query.service,
@@ -2327,6 +2327,9 @@ export const accountRoutes = (
       path: '/account/create',
       options: {
         ...ACCOUNT_DOCS.ACCOUNT_CREATE_POST,
+        cors: {
+          credentials: true,
+        },
         validate: {
           query: isA.object({
             keys: isA.boolean().optional().description(DESCRIPTION.keys),
diff --git a/packages/fxa-auth-server/lib/routes/password.ts b/packages/fxa-auth-server/lib/routes/password.ts
index 775c35ca08f..02807f470cd 100644
--- a/packages/fxa-auth-server/lib/routes/password.ts
+++ b/packages/fxa-auth-server/lib/routes/password.ts
@@ -995,6 +995,9 @@ module.exports = function (
       path: '/password/forgot/send_otp',
       options: {
         ...PASSWORD_DOCS.PASSWORD_FORGOT_SEND_OTP_POST,
+        cors: {
+          credentials: true,
+        },
         validate: {
           query: isA.object({
             service: validators.service.description(DESCRIPTION.serviceRP),