Access-Control-Expose-Headers

The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names.

By default, only the 6 CORS-safelisted response headers are exposed:

If you want clients to be able to access other headers, you have to list them using the Access-Control-Expose-Headers header.

Header type Response header
Forbidden header name no

Syntax

Access-Control-Expose-Headers: <header-name>, <header-name>, ...
Access-Control-Expose-Headers: *

Directives

<header-name>
A list of exposed headers consisting of zero or more header names other than the CORS-safelisted request headers that the resource might use and can be exposed.
* (wildcard)
The value "*" only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name "*" without special semantics.
Note that the Authorization header can't be wildcarded and always needs to be listed explicitly.

Examples

To expose a non-CORS-safelisted request header, you can specify:

Access-Control-Expose-Headers: Content-Length

To additionally expose a custom header, like X-Kuma-Revision, you can specify multiple headers separated by a comma:

Access-Control-Expose-Headers: Content-Length, X-Kuma-Revision

In requests without credentials, you can also use a wildcard value:

Access-Control-Expose-Headers: *

However, this won't wildcard the Authorization header, so if you need to expose that, you will need to list it explicitly:

Access-Control-Expose-Headers: *, Authorization

Specifications

Specification Status Comment
Fetch
The definition of 'Access-Control-Expose-Headers' in that specification.
Living Standard

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Access-Control-Expose-HeadersChrome Full support 4Edge Full support 12Firefox Full support 3.5IE Full support 10Opera Full support 12Safari Full support 4WebView Android Full support 2Chrome Android Full support YesFirefox Android Full support 4Opera Android Full support 12Safari iOS Full support 3.2Samsung Internet Android Full support Yes
Wildcard (*)Chrome Full support 65Edge No support NoFirefox Full support 69IE No support NoOpera Full support 52Safari No support NoWebView Android Full support 65Chrome Android Full support 65Firefox Android No support NoOpera Android Full support 47Safari iOS No support NoSamsung Internet Android Full support 9.0

Legend

Full support  
Full support
No support  
No support

See also