Recommended CORS Allow and Expose Headers

Question

enable-cors.org nginx config suggests using the below values for Access-Control-Allow-Headers and Access-Control-Expose-Headers. But there isn't much explanation of why these are recommended except Custom headers and headers various browsers *should* be OK with but aren't. I'd rather not inflate the payload for every API request if some of these are not needed for my application.

I know I could remove them and wait for something to break but I'm hoping for some background on why/how they were selected so I can make a more educated decision on whether they are necessary for my application. i.e. were they recommended to support a browser that my application doesn't need to support?

Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range

Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range

For the Allow-Headers, I can understand for most of them why a client would want to send them. X-CustomHeader stands out as an oddball though. Also, I tested on Chrome that even if User-Agent isn't explicitly allowed, chrome still sends it. This implies that these options were added for browser compatibility that my app might not need.

For the Expose-Headers, it seems like it would be very application specific on which headers a client needs to read. Why would a client need to read User-Agent, DNT, or X-Requested-With? They contain info meant for the server to consume, not the client. Additionally, Cache-Control and Content-Range are already enabled by default so they seem redundant here.

Answer 1

I ended up going through each header and determining if it was necessary. I compiled a list of changes:

• Changes for both Allow and Expose
  • Removed from both since they are non-standard headers
    • X-CustomHeader
  • Removed from both since they are non-standard and semi-deprecated
    • Keep-Alive
• Changes for Allow:
  • Removed since they are response-specific headers (used only for servers to inform client)
    • Content-Range
  • Kept even though they are enabled by default but only for certain types of requests (as per MDN):
    • Content-Type
• Changes for Expose:
  • Removed since they are already enabled by default (as per MDN)
    • Cache-Control
    • Content-Type
  • Removed since they are request-specific headers (used only for clients to inform server)
    • DNT
    • User-Agent
    • X-Requested-With
    • If-Modified-Since
    • Range
  • Added since they seem useful
    • Content-Length

This leaves me with the following:

Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range

Access-Control-Expose-Headers: Content-Length,Content-Range

Any comments or corrections would be greatly appreciated.