The
CORS-safelisted response headers
are:
Cache-Control
,
Content-Language
,
Content-Length
,
Content-Type
,
Expires
,
Last-Modified
,
Pragma
. To expose a non-CORS-safelisted response header, you can specify:
To additionally expose a custom header, like
Kuma-Revision
, you can specify multiple headers separated by a comma:
For requests without credentials, a server can also respond with a wildcard value:
A server can also respond with the
*
value for requests with credentials, but in this case it would refer to a header named
*
.