CORS-safelisted response header

A CORS-safelisted response header is an HTTP header in a CORS response that it is considered safe to expose to client scripts. Only safelisted response headers are made available to web pages.

By default, the safelist includes the following response headers:

Additional headers can be added to the safelist using Access-Control-Expose-Headers.


Content-Length was not part of the original set of safelisted response headers [ref]


Extending the safelist

You can extend the list of CORS-safelisted response headers by using the Access-Control-Expose-Headers header:

Access-Control-Expose-Headers: X-Custom-Header, Content-Encoding