/ HTTP Headers


The Access-Control-Expose-Headers is an essential component in the suite of HTTP headers that implement the Cross-Origin Resource Sharing (CORS) mechanism. It allows a server to indicate which of its response headers, apart from the simple response headers, can be exposed to the browser API.

What is Access-Control-Expose-Headers?

Access-Control-Expose-Headers is a response header. It lists the headers that the client (a Web API in a browser) is allowed to access. By default, only the following simple response headers can be read:

  • Cache-Control
  • Content-Language
  • Content-Length
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma

If there are additional headers (beyond the above) that the server wants the client to be able to access, it can include them via Access-Control-Expose-Headers.

Basic Usage

The header follows the format:

Access-Control-Expose-Headers: <header-name>[, <header-name>]*

The <header-name> is the name of the header that can be exposed.

For instance, consider a response with this header:

Access-Control-Expose-Headers: X-My-Custom-Header

Here, the server is indicating that the client can access the X-My-Custom-Header response header.

Detailed Examples

Scenario 1: Exposing a Single Custom Header

Suppose your server provides a custom response header X-My-Custom-Header and you want to expose this header to the client. The response header would look like:

Access-Control-Expose-Headers: X-My-Custom-Header

In this case, a client can access X-My-Custom-Header from the response.

Scenario 2: Exposing Multiple Custom Headers

In many situations, you might need to expose multiple headers. To do this, include each header name in the Access-Control-Expose-Headers header, separated by commas:

Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header

With this response, the client can access both X-My-Custom-Header and X-Another-Custom-Header from the response.

Considerations and Caveats

When working with Access-Control-Expose-Headers, there are a few important things to consider:

  • Header Sensitivity: Be mindful of what headers you expose to the client. Exposing sensitive information could pose a security risk.
  • CORS Policy: Access-Control-Expose-Headers is part of the server’s CORS policy and is sent in response to a CORS request. Remember that a server sends response headers to the client; hence, it’s the server that controls which headers are exposed, not the client.


The Access-Control-Expose-Headers header plays a vital role in the CORS mechanism, providing a way for servers to make additional response headers accessible to clients. As with all parts of your CORS policy, careful configuration is needed to ensure both the functionality and security of your web application.

Was this helpful?

Thanks for your feedback!