HTTP headers | Access-Control-Expose-Headers

The HTTP Access-Control-Expose-Headers header is a response header that is used to expose the headers that have been mentioned in it. By default 6 response headers are already exposed which are known as CORS-safelisted response headers. They are namely- Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma.

Syntax:

Access-Control-Expose-Headers: <header-name>

Access-Control-Expose-Headers: *

Note: Multiple headers can be used.

Directives:

• <header-name>: It specifies the header that needs to be exposed other than the safe listed headers specified by CORS. If there are multiple headers in use we separate them using commas.
• *(wildcard): It is used for requests without HTTP cookies or HTTP authentication information. It should be noted that the Authorization header cannot be wildcarded and needs explicit mentioning.

Examples:

• In this example, the Accept-Language HTTP header is exposed. It can be noted that it is a non-CORS safe listed header.

  Access-Control-Expose-Headers: Accept-Language

• In this example, the Authorization HTTP header was needed to be mentioned explicitly as it can’t be wild-carded normally.

  Access-Control-Expose-Headers: *, Authorization

Supported Browsers: The browsers are compatible with HTTP header Access-Control-Expose-Headers are listed below:

• Google Chrome 4.0
• Internet Explorer 12.0
• Opera 12.0
• Firefox 3.5
• Safari 4.0

Note: *(wildcard) directive may not supported on Safari and Internet Explorer.