In the HTTP CORS spec, what's the difference between Allow-Headers and Expose-Headers?

Access-Control-Allow-Headers

Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.

Access-Control-Expose-Headers

This header lets a server whitelist headers that browsers are allowed to access. For example:

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Just to clarify a comment above that these are badly named, these are not badly named.

They serve distinct functions.

• Access-control-allow-headers specifies which headers are allowed to change the state of the server.
• While Access-control-expose-headers has a get method getResponseHeader() method that returns the value of a particular response header. During a CORS request, the getResponseHeader() method can only access simple response headers. To be able to access other headers, you need to specify it in here.