In the HTTP CORS spec, what's the difference between Allow-Headers and Expose-Headers?
Access-Control-Allow-Headers
Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
Access-Control-Expose-Headers
This header lets a server whitelist headers that browsers are allowed to access. For example:
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Just to clarify a comment above that these are badly named, these are not badly named.
They serve distinct functions.
Access-control-allow-headers
specifies which headers are allowed to change the state of the server.- While
Access-control-expose-headers
has a get method getResponseHeader() method that returns the value of a particular response header. During a CORS request, the getResponseHeader() method can only access simple response headers. To be able to access other headers, you need to specify it in here.