Today I Learned
Tidbits of (hopefully) useful information on technologies and tools related to software development.

Access-Control-Allow-Headers vs. Access-Control-Expose-Headers

November 16, 2020 - HTTP

Access-Control-Allow-Headers

Response header to a preflight request (OPTIONS) that indicates which headers can be used when making the actual request.

# Example request
curl -vX OPTIONS \
  -H "Origin: https://yourdomain.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: X-Some-Header" \
  https://www.someapi.com/

# Example response
# ...
< access-control-allow-origin: https://yourdomain.com
< access-control-allow-methods: OPTIONS,POST
< access-control-allow-headers: X-Some-Header
# ...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Access-Control-Expose-Headers

Response header to an actual request that indicates which other response headers the client (ex: a browser) is allowed to access.

# Example request
curl -v -H "Origin: https://yourdomain.com" \
  https://www.someapi.com/

# Example response
# ...
< access-control-allow-origin: https://yourdomain.com
< access-control-expose-headers: X-Some-Header
# ...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers

Want to improve this post? Feel free to submit a pull request!

Learnings sourced by everyone who has taught me, either directly or indirectly. Thanks!

Visit my main site for more, and sometimes longer, content.