Revision 1129159 of Access-Control-Expose-Headers

  • Revision slug: Web/HTTP/Headers/Access-Control-Expose-Headers
  • Revision title: Access-Control-Expose-Headers
  • Revision id: 1129159
  • Created:
  • Creator: fscholz
  • Is current revision? No
  • Comment
Tags: 

Revision Content
{{HTTPSidebar}}

The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names.

By default, only the 6 {{Glossary("Simple response header", "simple response headers")}} are exposed:

  • {{HTTPHeader("Cache-Control")}}
  • {{HTTPHeader("Content-Language")}}
  • {{HTTPHeader("Content-Type")}}
  • {{HTTPHeader("Expires")}}
  • {{HTTPHeader("Last-Modified")}}
  • {{HTTPHeader("Pragma")}}

If you want clients to be able to access other headers, you have to list them using the Access-Control-Expose-Headers header.

Header type {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}} no

Syntax

Access-Control-Expose-Headers: *
Access-Control-Expose-Headers: <header-name>, <header-name>, ...

Directives

*
Any header name is exposed.
<header-name>
A list of exposed headers consisting of zero or more header names other than the {{Glossary("Simple response header", "simple response headers")}} that the resource might use and can be exposed.

Examples

To expose any header names, you can specify:

Access-Control-Expose-Headers: *

To expose a non-simple response header, you can specify:

Access-Control-Expose-Header: Content-Length

To additionally expose a custom header, like X-Kuma-Revision, you can specify mulitple headers separated by a comma:

Access-Control-Expose-Header: Content-Length, X-Kuma-Revision

Specifications

Specification Status Comment
{{SpecName('Fetch','#http-access-control-expose-headers', 'Access-Control-Expose-Headers')}} {{Spec2("Fetch")}}  

Browser compatibility

{{Compat}}

See also

  • {{HTTPHeader("Access-Control-Allow-Headers")}}
  • {{HTTPHeader("Access-Control-Allow-Origin")}}

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The <strong><code>Access-Control-Expose-Headers</code></strong> response header indicates which headers can be exposed as part of the response by listing their names.</p>

<p>By default, only the 6 {{Glossary("Simple response header", "simple response headers")}} are exposed:</p>

<ul>
 <li>{{HTTPHeader("Cache-Control")}}</li>
 <li>{{HTTPHeader("Content-Language")}}</li>
 <li>{{HTTPHeader("Content-Type")}}</li>
 <li>{{HTTPHeader("Expires")}}</li>
 <li>{{HTTPHeader("Last-Modified")}}</li>
 <li>{{HTTPHeader("Pragma")}}</li>
</ul>

<p>If you want clients to be able to access other headers, you have to list them using the <code>Access-Control-Expose-Headers</code> header.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">Header type</th>
   <td>{{Glossary("Response header")}}</td>
  </tr>
  <tr>
   <th scope="row">{{Glossary("Forbidden header name")}}</th>
   <td>no</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<pre class="syntaxbox">
Access-Control-Expose-Headers: *
Access-Control-Expose-Headers: &lt;header-name&gt;, &lt;header-name&gt;, ...
</pre>

<h2 id="Directives">Directives</h2>

<dl>
 <dt>*</dt>
 <dd>Any header name is exposed.</dd>
 <dt>&lt;header-name&gt;</dt>
 <dd>A list of exposed headers consisting of zero or more header names other than the {{Glossary("Simple response header", "simple response headers")}} that the resource might use and can be exposed.</dd>
</dl>

<h2 id="Examples">Examples</h2>

<p>To expose any header names, you can specify:</p>

<pre>
Access-Control-Expose-Headers: *</pre>

<p>To expose a non-simple response header, you can specify:</p>

<pre>
Access-Control-Expose-Header: Content-Length</pre>

<p>To additionally expose a custom header, like <code>X-Kuma-Revision</code>, you can specify mulitple headers separated by a comma:</p>

<pre>
Access-Control-Expose-Header: Content-Length, X-Kuma-Revision</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{SpecName('Fetch','#http-access-control-expose-headers', 'Access-Control-Expose-Headers')}}</td>
   <td>{{Spec2("Fetch")}}</td>
   <td>&nbsp;</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Access-Control-Allow-Headers")}}</li>
 <li>{{HTTPHeader("Access-Control-Allow-Origin")}}</li>
</ul>
Revert to this revision