The Access-Control-Expose-Headers header specifies which response headers can be accessed by client-side JavaScript in cross-origin requests.
By default, browsers only expose CORS-safelisted response headers to JavaScript. To allow access to other headers, they must be explicitly listed in this header.
Syntax & Values
Access-Control-Expose-Headers: <header> Access-Control-Expose-Headers: <header>, <header>, ... Access-Control-Expose-Headers: *
The Access-Control-Expose-Headers header accepts one or more response header names (e.g., X-Total-Count or X-Total-Count, X-RateLimit-Remaining) to specify which headers can be accessed by client-side JavaScript. Additionally, the wildcard * can be used to expose all non-safelisted headers.
Examples
Exposing a single custom header
Makes the X-Total-Count response header accessible to client-side JavaScript.
Access-Control-Expose-Headers: X-Total-Count
Exposing multiple headers
Makes multiple custom headers like X-Total-Count and X-RateLimit-Remaining accessible to client-side JavaScript. Headers are comma-separated.
Access-Control-Expose-Headers: X-Total-Count, X-RateLimit-Remaining
Exposing all non-safelisted headers
Makes all non-safelisted response headers accessible to client-side JavaScript.
Access-Control-Expose-Headers: *
Common Errors & Fixes
Header X can't be read by client JavaScript.
Expose the header X by adding its name to the Access-Control-Expose-Headers response header from the server. For example: Access-Control-Expose-Headers: X.
Frequently Asked Questions
Can I expose all headers?
Yes, you can use the asterisk (*) as a wildcard to expose all non-safelisted headers.
Can it contain multiple header names?
Yes, you can list multiple header names, separated by commas. For example: Access-Control-Expose-Headers: Content-Length, X-My-Custom-Header.
Is the Access-Control-Expose-Headers value case-sensitive?
No, HTTP header names are generally case-insensitive. So, X-Custom-Header is treated the same as x-custom-header when listed in ACEH.