Access-Control-Expose-Headers

The HTTP Access-Control-Expose-Headers response header is sent by the server to indicate which HTTP headers will be exposed by the client.

Usage

The Access-Control-Expose-Headers response header is part of the CORS protocol to allow cross-origin sharing, and it is sent to inform the client which HTTP headers can be exposed as part of the HTTP response. For example, if HTTP headers are made available to scripts being run by the client then this is used to indicate which ones are allowed. Those included are in addition to what is whitelisted by the CORS protocol.

Note

Access-Control-Expose-Headers is different from Access-Control-Allow-Headers because it can be sent in response to a CORS request that is not a CORS preflight request.

The whitelisted CORS HTTP response headers are Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, and Pragma.

Access-Control-Expose-Headers: *

The asterisk is a wildcard for HTTP requests that do not have credentials. It tells the client to allow any supported HTTP header during a preflight request.

Note

For HTTP requests that include credentials, the asterisk character * is treated as a literal, rather than a wildcard character. Also, the wildcard will not expose the HTTP Authorization header, so this must be done explicitly if needed.

Example

In this example, the server responds to a previous HTTP request that was made by the client. As part of it, the HTTP Access-Control-Expose-Headers response header is included to indicate that both the HTTP Content-Encoding header and custom HTTP X-User-Addr header be made available to scripts running on the client.

Response

Access-Control-Expose-Headers: Content-Encoding, X-User-Addr

Takeaway

The Access-Control-Expose-Headers response header is sent by a server to inform clients which HTTP headers will be exposed for use by scripts.

See also

Last updated: June 2, 2022