The HTTP Access-Control-Expose-Headers response header is sent by the server to indicate which HTTP headers will be exposed by the client.
The Access-Control-Expose-Headers response header is part of the CORS protocol to allow cross-origin sharing, and it is sent to inform the client which HTTP headers can be exposed as part of the HTTP response. For example, if HTTP headers are made available to scripts being run by the client then this is used to indicate which ones are allowed. Those included are in addition to what is whitelisted by the CORS protocol.
The asterisk is a wildcard for HTTP requests that do not have credentials. It tells the client to allow any supported HTTP header during a preflight request.
For HTTP requests that include credentials, the asterisk character
* is treated as a literal, rather than a wildcard character. Also, the wildcard will not expose the HTTP Authorization header, so this must be done explicitly if needed.
In this example, the server responds to a previous HTTP request that was made by the client. As part of it, the HTTP Access-Control-Expose-Headers response header is included to indicate that both the HTTP Content-Encoding header and custom HTTP X-User-Addr header be made available to scripts running on the client.
Access-Control-Expose-Headers: Content-Encoding, X-User-Addr
The Access-Control-Expose-Headers response header is sent by a server to inform clients which HTTP headers will be exposed for use by scripts.