diff --git a/logtail/logtail.go b/logtail/logtail.go
index da19c3bbc..a1a6c196e 100644
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -18,6 +18,7 @@ import (
 	"net/netip"
 	"os"
 	"regexp"
+	"runtime"
 	"strconv"
 	"sync"
 	"sync/atomic"
@@ -491,6 +492,19 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (retryAft
 		req.Header.Add("Content-Encoding", "zstd")
 		req.Header.Add("Orig-Content-Length", strconv.Itoa(origlen))
 	}
+	if runtime.GOOS == "js" {
+		// We once advertised we'd accept optional client certs (for internal use)
+		// on log.tailscale.io but then Tailscale SSH js/wasm clients prompted
+		// users (on some browsers?) to pick a client cert. We'll fix the server's
+		// TLS ServerHello, but we can also fix it client side for good measure.
+		//
+		// Corp details: https://github.com/tailscale/corp/issues/18177#issuecomment-2026598715
+		// and https://github.com/tailscale/corp/pull/18775#issuecomment-2027505036
+		//
+		// See https://github.com/golang/go/wiki/WebAssembly#configuring-fetch-options-while-using-nethttp
+		// and https://developer.mozilla.org/en-US/docs/Web/API/fetch#credentials
+		req.Header.Set("js.fetch:credentials", "omit")
+	}
 	req.Header["User-Agent"] = nil // not worth writing one; save some bytes
 
 	compressedNote := "not-compressed"