Skip to main content Skip to docs navigation

CORS-Safelisted Response Header

A CORS-safelisted response header is an HTTP header in a CORS response that it is considered safe to expose to client scripts. Only safelisted response headers are made available to web pages.

On this page

By default, the safelist includes the following response headers:

Additional headers can be added to the safelist using Access-Control-Expose-Headers .

Note: Content-Length was not part of the original set of safelisted response headers [ref ]

Examples

Extending the safelist

You can extend the list of CORS-safelisted response headers by using the Access-Control-Expose-Headers header:

http
                                        
                                            
                                                Access-Control-Expose-Headers
                                                :
                                                X-Custom-Header, Content-Encoding
                                            
                                        
                                    

See also

Updated on April 20, 2024 by Datarist.