Setting the allowed response headers

  • There are some default headers that are available in response and is made available by the browsers. Such default headers are Content-Type, Content-Language, Cache-Control, Expires, Pragma, and Last-Modified. These are called simple response headers.
  • However, in some scenarios, you may want to expose some special headers in the response. To achieve this, CORS facilitates a parameter named exposedHeaders in the [EnableCors] attribute.
  • For example, let's set a special header named "X-Custom-Header" in the response. As this is a special header, it will not be exposed by browsers in a cross-origin request by default. In order to enable the browser to expose this special header, we need to set the header "X-Custom-Header" ...

Get ASP.NET Web API Security Essentials now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial