cors

Access-Control-Expose-Headers

Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.

Access-Control-Expose-Headers: <header-name>[, <header-name>...]  |  *

Common directives / values

Directive Purpose
X-Request-Id Expose a request tracing id to the client for debugging.
X-Total-Count Common pagination pattern — expose count so the client can render page controls.
Location Needed for clients that read Location on 201 Created cross-origin.
* Expose all response headers — ignored for credentialed requests; use with care.

Examples

Access-Control-Expose-Headers: X-Total-Count, Link

Expose pagination headers so JS can render Next/Prev buttons.

Access-Control-Expose-Headers: *

Non-credentialed API willing to expose everything.

Access-Control-Expose-Headers: X-RateLimit-Remaining, X-RateLimit-Reset

Expose rate-limit metadata so the client can back off gracefully.

Access-Control-Expose-Headers: Content-Disposition

Required to read filename from a cross-origin file download in JS.

Gotcha

* in Expose-Headers is ignored for credentialed responses — you must enumerate each header explicitly. Authorization is never exposable via *.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors