CORS requests only expose 6 safelisted headers : Cache-Control Content-Language
Content-Type Expires Last-Modified & Pragma.
In order to access custom headers with a CORS request, the server has to explicitly whitelist them. This can be done by sending the response header: Access-Control-Expose-Headers
For example:
Access-Control-Expose-Headers: X-Total-Count, X-Paging-PageSize
MDN Source