Header and Basic Auth issue

I have an issue with adding Headers and Users for Basic Auth into a TWebHttpRequest.

In order to try and find out what my issue is, I adapted the SimpleService demo application to test.
I am running a server written in Delphi that exposes various REST endpoints on the same Win 11 machine as the TMSWebCore app. This server has CORS middleware enabled and running.

If I just substitute my localhost URL into the SimpleService demo app all runs fine. I get the expected result returned (a simple JSON object).

If I set the Accept to 'application/json' and Content-Type to 'text/plain' in code (using WebHttpRequest1.Headers.AddPair(...)) they work as expected. I am not passing anything in the body of the HttpRequest.

If I try to set the User or Password properties of the TWebHttpRequest either in code or directly in the Object Inspector at design time the call fails and the app just hangs.

The URL runs fine in Postman, also fine in a browser window, even in the browser that the WebCore app is running in if I copy the URL directly into the address box. I get the JSON back in each case.

I can breakpoint the server at the entry point for the API call, so I can see when the call hits the endpoint.

When I try to set other headers or the User and Password properties of the TWebHttpRequest I never leave the process space of the WebCore app, and never hit the Server endpoints.

All help and suggestions gratefully received.

My set up:
Delphi 11.3
Server written in Delphi (using DMVCFramework)

When you set User & Password, it creates the header

'Authorization', 'Basic '+window.btoa(User+':'+Password)

Is this what your server expects?

I suggest to compare the header sent by Postman and the one sent from the TMS WEB Core app from the browser via the browser console or inspect the difference server side.