Access-Control-Expose-Headers
Response header CORS

Overview

Access-Control-Expose-Headers is a CORS header that lists which response headers the browser will let client script read on a cross-origin response. Any header not named here is hidden from JavaScript beyond the safelist.

Details

By default, cross-origin fetch/XHR script can read only the seven CORS-safelisted response headers: Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, and Pragma. Custom or other headers such as ETag, X-Request-Id, or Location are present on the wire but the browser hides them from script.

To let client code use such headers (e.g. a pagination total in X-Total-Count, a trace id in X-Request-Id, or an ETag for conditional requests) the server must name them in Access-Control-Expose-Headers. This header applies to the actual response, not the preflight (OPTIONS) response.

The wildcard * is a convenience that exposes all non-safelisted headers, but only for non-credentialed requests. In a credentialed request (cookies or auth included) * loses its special meaning and refers to a header literally named `*`, effectively exposing nothing, so in credentialed scenarios you must enumerate header names explicitly.

Syntax

Access-Control-Expose-Headers: <header-name>[, <header-name>]* | *

e.g. Access-Control-Expose-Headers: Content-Length, X-Request-Id, ETag

Directives / values

<header-name>Name of a response header to expose to cross-origin script (case-insensitive). List several comma-separated.
*Exposes all response headers beyond the CORS-safelisted set. In credentialed requests it is treated as the literal header name `*` and does not work.

Notes

Related headers

Related status codes

Specification