Access-Control-Allow-Headers
Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
Access-Control-Expose-Headers
This header lets a server whitelist headers that browsers are allowed to access. For example:
Source:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS