A simple response header (or a CORS-safelisted response header) is an HTTP header that is one of the following:
- {{HTTPHeader("Cache-Control")}}
- {{HTTPHeader("Content-Language")}}
- {{HTTPHeader("Content-Type")}}
- {{HTTPHeader("Expires")}}
- {{HTTPHeader("Last-Modified")}}
- {{HTTPHeader("Pragma")}}
These headers will not be filtered when the response is filtered by CORS, they are considered as safe (as the headers listed in {{HTTPHeader("Access-Control-Expose-Headers")}}.
Examples
Extending the safelist
You can extend the list of CORS-safelisted response headers by using the {{HTTPHeader("Access-Control-Expose-Headers")}} header:
Access-Control-Expose-Headers: X-Custom-Header, Content-Length
Learn more
- HTTP
- HTTP headers
- {{HTTPHeader("Access-Control-Expose-Headers")}}
- {{Glossary("CORS")}}
- {{Glossary("Simple header")}}
- {{Glossary("Forbidden header name")}}
- {{Glossary("Request header")}}