CORS-safelisted response header
A CORS-safelisted response header is an HTTP header in a CORS response that it is considered safe to expose to client scripts. Only safelisted response headers are made available to web pages.
By default, the safelist includes the following response headers:
Additional headers can be added to the safelist using Access-Control-Expose-Headers
.
Note: Content-Length
was not part of the original set of safelisted response headers [ref]
Examples
Extending the safelist
You can extend the list of CORS-safelisted response headers by using the Access-Control-Expose-Headers
header:
Access-Control-Expose-Headers: X-Custom-Header, Content-Encoding