cors
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.
Access-Control-Expose-Headers: <header-name>[, <header-name>...] | * Common directives / values
| Directive | Purpose |
|---|---|
| X-Request-Id | Expose a request tracing id to the client for debugging. |
| X-Total-Count | Common pagination pattern — expose count so the client can render page controls. |
| Location | Needed for clients that read Location on 201 Created cross-origin. |
| * | Expose all response headers — ignored for credentialed requests; use with care. |
Examples
Access-Control-Expose-Headers: X-Total-Count, Link Expose pagination headers so JS can render Next/Prev buttons.
Access-Control-Expose-Headers: * Non-credentialed API willing to expose everything.
Access-Control-Expose-Headers: X-RateLimit-Remaining, X-RateLimit-Reset Expose rate-limit metadata so the client can back off gracefully.
Access-Control-Expose-Headers: Content-Disposition Required to read filename from a cross-origin file download in JS.
Gotcha
* in Expose-Headers is ignored for credentialed responses — you must enumerate each header explicitly. Authorization is never exposable via *.
Related headers
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.
Content-Disposition
In responses, controls whether the browser renders the body inline or offers it as a download, and suggests a filename. In multipart/form-data request parts, names the form field and optionally the upload filename.
Access-Control-Allow-Headers
Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.
Access-Control-Allow-Methods
Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.