Access-Control-Expose-Headers
The HTTP Access-Control-Expose-Headers response header lists which response headers the browser is allowed to expose to JavaScript in a CORS request.
Usage
By default, only a small set of response headers is accessible to front-end JavaScript after a cross-origin request. These CORS-safelisted response headers are Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, and Pragma.
Any other header the client needs to read must be explicitly listed in Access-Control-Expose-Headers. Without the listing, the browser hides the header value from scripts even though the network layer received the data.
This header differs from Access-Control-Allow-Headers in direction: Access-Control-Allow-Headers governs which headers a request is allowed to send, while Access-Control-Expose-Headers governs which headers a response makes readable to JavaScript.
Directives
Header name list
A comma-separated set of response header names the browser is permitted to expose to the calling script.
Access-Control-Expose-Headers: X-Request-ID, X-RateLimit-Remaining
* (wildcard)
The asterisk acts as a wildcard for requests without credentials, exposing all response headers to JavaScript.
Access-Control-Expose-Headers: *
Note
For credentialed requests the wildcard * is treated
as a literal string, not as a wildcard. Each header
must be listed explicitly.
Example
An API returns a custom request identifier and a rate-limit counter. Both headers are listed so the client-side code has access to read them.
Access-Control-Allow-Origin: https://app.example.re
Access-Control-Expose-Headers: X-Request-ID, X-RateLimit-Remaining
X-Request-ID: abc-123-def
X-RateLimit-Remaining: 47
A server exposing the Content-Encoding header alongside a custom header for a non-credentialed request.
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Encoding, X-Trace-ID
Takeaway
The Access-Control-Expose-Headers header makes specific response headers readable to front-end JavaScript in a cross-origin context, extending visibility beyond the default CORS-safelisted set.
See also
- Fetch Standard: HTTP Access-Control-Expose-Headers
- Access-Control-Allow-Headers
- Access-Control-Allow-Origin
- CORS
- HTTP headers