Summary  
This chapter explains how to configure servers to explicitly expose custom HTTP response headers to client-side code in cross-origin requests by using the Access-Control-Expose-Headers header.

General domain of usage  
Web development

**Exposing Custom Response Headers with CORS**

This video demonstrates how to configure a backend server to expose custom response headers to the browser using the `Access-Control-Expose-Headers` header in CORS, allowing frontend JavaScript to read them.

When working with CORS, you may need to let browsers access certain custom response headers from your backend. By default, browsers only make a limited set of response headers available to JavaScript running on the client side. To expose additional headers, you use the `Access-Control-Expose-Headers` response header. This header tells the browser which headers it is allowed to make accessible to frontend JavaScript code after a cross-origin request.

Browsers always expose a small set of **"simple" response headers** by default, including:

- Cache-Control;
- Content-Language;
- Content-Type;
- Expires;
- Last-Modified;
- Pragma.

If your backend sends other headers—such as `X-Custom-Header`, `X-Auth-Token`, or any custom metadata—they will not be readable by the browser unless you explicitly expose them using `Access-Control-Expose-Headers`. This is important when your frontend needs to access authentication tokens, pagination info, or any custom data sent in headers.

```
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://example.com
Access-Control-Expose-Headers: X-Custom-Header
X-Custom-Header: ExampleValue
Content-Type: application/json

{
  "message": "Success"
}
```

In this example, the backend response includes the `Access-Control-Expose-Headers: X-Custom-Header` header. This tells the browser that JavaScript running on `https://example.com` can access the value of the `X-Custom-Header` header using APIs like `fetch` or `XMLHttpRequest`. Without this configuration, the browser would block access to `X-Custom-Header`, keeping it hidden from client-side scripts.

What does Access-Control-Expose-Headers do?

A comprehensive course on the internal workings of Cross-Origin Resource Sharing (CORS), focusing on browser and backend interactions, security policies, credential handling, common misconfigurations, and real-world security risks. Designed for backend developers and security professionals, this course provides clear explanations, practical HTTP examples, and backend-focused security scenarios.

Explore the core concepts of CORS, how browsers enforce cross-origin policies, and the basic HTTP mechanisms involved.

Learn how backend systems implement CORS, configure headers, and handle credentials securely.

Analyze common CORS misconfigurations, real-world attack scenarios, and best practices for secure implementation.

Exposing Response Headers to the Browser