Access-Control-Expose-Headers

Description

The Access-Control-Expose-Headers header specifies which response headers can be accessed by client-side JavaScript in cross-origin requests. In cross-origin requests, by default, browsers only expose certain headers to client JavaScript, which are CORS-safelisted headers. In order for client JavaScript to read other headers, they must be explicitly set via the Access-Control-Expose-Headers (ACEH) header. This header lets client JS read **non-safelisted response headers**.

Syntax & allowed values

  • Access-Control-Expose-Headers: X-Custom-Header
  • Access-Control-Expose-Headers: X-RateLimit-Remaining, X-Total-Count
  • Access-Control-Expose-Headers: *

Code examples

SERVER

// Express.js (Node.js) example (server-side)
const express = require('express');
const app = express();

// Middleware to set CORS headers
app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', 'https://your-frontend-domain.com');
  
  // Expose custom headers to client JavaScript
  res.setHeader('Access-Control-Expose-Headers', 'X-Total-Count, X-RateLimit-Remaining');
  next();
});

app.get('/api/users', (req, res) => {
  // Set custom headers that will be exposed to the client
  res.setHeader('X-Total-Count', '150');
  res.setHeader('X-RateLimit-Remaining', '99');
  
  res.json([
    { id: 1, name: 'John Doe' },
    { id: 2, name: 'Jane Smith' }
  ]);
});

const port = 3001;
app.listen(port, () => {
  console.log(`Server running on port ${port}`);
});

CLIENT

// JavaScript Fetch API example (client-side)
fetch('https://api.example.com/users', {
  method: 'GET',
  headers: {
    'Content-Type': 'application/json'
  }
})
.then(response => {
  if (!response.ok) {
    throw new Error('Network response was not ok');
  }
  
  // These headers are now accessible because the server
  // included them in Access-Control-Expose-Headers
  const totalCount = response.headers.get('X-Total-Count');
  const rateLimit = response.headers.get('X-RateLimit-Remaining');
  
  console.log('Total items:', totalCount);
  console.log('Rate limit remaining:', rateLimit);
  
  return response.json();
})
.then(data => {
  console.log('Users:', data);
})
.catch(error => console.error('Error:', error));

Common errors & fixes

Header X can't be read by client JavaScript.

Expose the header X by adding its name to the Access-Control-Expose-Headers response header from the server. For example: `Access-Control-Expose-Headers: X`.

Frequently asked questions

Can I expose all headers?

Yes, you can use the asterisk (`*`) as a wildcard to expose all non-safelisted headers.

Can it contain multiple header names?

Yes, you can list multiple header names, separated by commas. For example: `Access-Control-Expose-Headers: Content-Length, X-My-Custom-Header`.

Is the Access-Control-Expose-Headers value case-sensitive?

No, HTTP header names are generally case-insensitive. So, `X-Custom-Header` is treated the same as `x-custom-header` when listed in ACEH.

Tired of CORS errors?

Corsfix enables you to fetch any API without getting CORS issues, allowing you to focus on building your application.

Try Corsfix free