Skip to content
Related Articles

Related Articles

HTTP headers | Access-Control-Expose-Headers

Improve Article
Save Article
  • Last Updated : 19 Nov, 2019
Improve Article
Save Article

The HTTP Access-Control-Expose-Headers header is a response header that is used to expose the headers that have been mentioned in it. By default 6 response headers are already exposed which are known as CORS-safelisted response headers. They are namely- Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma.


Access-Control-Expose-Headers: <header-name>
Access-Control-Expose-Headers: *

Note: Multiple headers can be used.


  • <header-name>: It specifies the header that needs to be exposed other than the safe listed headers specified by CORS. If there are multiple headers in use we separate them using commas.
  • *(wildcard): It is used for requests without HTTP cookies or HTTP authentication information. It should be noted that the Authorization header cannot be wildcarded and needs explicit mentioning.


  • In this example, the Accept-Language HTTP header is exposed. It can be noted that it is a non-CORS safe listed header.
    Access-Control-Expose-Headers: Accept-Language
  • In this example, the Authorization HTTP header was needed to be mentioned explicitly as it can’t be wild-carded normally.
    Access-Control-Expose-Headers: *, Authorization

Supported Browsers: The browsers are compatible with HTTP header Access-Control-Expose-Headers are listed below:

  • Google Chrome 4.0
  • Internet Explorer 12.0
  • Opera 12.0
  • Firefox 3.5
  • Safari 4.0

Note: *(wildcard) directive may not supported on Safari and Internet Explorer.

My Personal Notes arrow_drop_up
Related Articles

Start Your Coding Journey Now!