HTTP headers | Access-Control-Expose-Headers

The HTTP Access-Control-Expose-Headers header is a response header that is used to expose the headers that have been mentioned in it. By default 6 response headers are already exposed which are known as CORS-safelisted response headers. They are namely- Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma.


Access-Control-Expose-Headers: <header-name>
Access-Control-Expose-Headers: *

Note: Multiple headers can be used.


  • <header-name>: It specifies the header that needs to be exposed other than the safe listed headers specified by CORS. If there are multiple headers in use we separate them using commas.
  • *(wildcard): It is used for requests without HTTP cookies or HTTP authentication information. It should be noted that the Authorization header cannot be wildcarded and needs explicit mentioning.


  • In this example, the Accept-Language HTTP header is exposed. It can be noted that it is a non-CORS safe listed header.
    Access-Control-Expose-Headers: Accept-Language
  • In this example, the Authorization HTTP header was needed to be mentioned explicitly as it can’t be wild-carded normally.
    Access-Control-Expose-Headers: *, Authorization

Supported Browsers: The browsers are compatible with HTTP header Access-Control-Expose-Headers are listed below:

  • Google Chrome 4.0
  • Internet Explorer 12.0
  • Opera 12.0
  • Firefox 3.5
  • Safari 4.0

Note: *(wildcard) directive may not supported on Safari and Internet Explorer.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using or mail your article to See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.

Article Tags :

Be the First to upvote.

Please write to us at to report any issue with the above content.