import org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter; ... @Bean public CrossOriginResourceSharingFilter crossOriginResourceSharingFilter() { final CrossOriginResourceSharingFilter corsf = new CrossOriginResourceSharingFilter(); final List<String> exposeHeaders = new ArrayList<>(corsf.getExposeHeaders()); exposeHeaders.add("X-Auth-Token"); log.debug("exposeHeaders: {}", String.join(", ", exposeHeaders)); corsf.setExposeHeaders(exposeHeaders); return corsf; } ...
See also:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Expose-Headers
http://cxf.apache.org/docs/jax-rs-cors.html