Blog
Access-Control-Expose-Headers: which response headers JavaScript can read
By default browsers hide most response headers from cross-origin scripts. Expose-Headers lists the names that fetch() and XHR may surface to your app code.
Default visibility rules
Cross-origin responses still deliver headers to the browser, but the Fetch spec restricts which names are visible to JavaScript unless the response is same-origin or CORS allows them.
Safe response header names like Cache-Control are typically visible; custom telemetry headers often require Access-Control-Expose-Headers with a comma-separated list.
Proxy and gateway considerations
When traffic passes through a CORS proxy, ensure both the proxy and upstream agree on which headers to forward and expose—strip secrets before they reach the browser.
Document exposed header names in OpenAPI so frontend teams know which values they can rely on in production.