Actix-web Cors with custom header : I can get the header

Jes · September 25, 2025, 10:04am

Hi,

I am working on a backend where I have to make a response with a pdf and a report.

I send the pdf in the body and I put the report in the header like this :

HttpResponse::Ok()
    .append_header(("REPORT", json))
    .content_type("application/pdf")
    .body(pdf)),

This works well. But my teammate can access to my report header.
So we think we have to change Cors data in actix-web to make this header exposed.

Access-Control-Expose-Headers: report

So after reading the actix-cors documentation :

I was thinking to use this function.
But I realize that I was already using a very permissive Cors :

 let server = HttpServer::new(move || {
        let cors = actix_cors::Cors::permissive().allow_any_header();
        App::new()
            .wrap(cors)
...

Actually, this is not working for my teammates so I wonder how we can add Access-Control-Expose-Headers: report with actix-web ?

By the way, I test with postman, I have in my header the report and date (date not mine, by default) in the header :

But, in our front, my teammate can note get the report and date value.
And in my local computer, I can get the report, but not the date value...

On my computer, I have the Access-Control-Expose-Headers value that is definned :

I have date in header, but not in Access-Control-Expose-Headers.

For my teammates, there is no Access-Control-Expose-Headers value at all in the response.

So how can we get the report and date in our front ? Is the problem not from Access-Control-Expose-Headers ?

anon1281670 · September 25, 2025, 10:21am

Side comment, but is the allow_any_header needed?

I interpret that this is included in permissive(), see builder.rs - source. However, I may be misreading it.

I am unsure whether this means permissive it should only be used for local dev:

The alternative Cors::permissive() constructor is available for local development, allowing all origins and headers, etc. The permissive constructor should not be used in production.

Just adding some possible pointers. You may still try allow all origins, all headers, on top of Cors::default().

Jes · September 25, 2025, 12:10pm

Yes I agree Persmissive allows any header. So allow_any_header is not needed.

I agree also that this is a mistake to use it in prod. But now, same in local, I do not see the header as wanted... with all permission setted...

The is a function :

pub fn expose_headers<U, H>(self, headers: U) -> Cors

But I do not see how to add custom header...?

jofas · September 25, 2025, 12:20pm

Something like

Cors::permissive().expose_headers(["report", "date"]);

should do it I believe. I don't think you have to explicitly list whitelisted headers here, like content-type, etc.

system · December 24, 2025, 12:21pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
How use cors in actix-web help	15	5694	June 15, 2021
Insert header Access-Control-Allow-Origin in reply. (axum) help	3	2632	August 1, 2024
'Access-Control-Allow-Origin' missing using actix-web help	2	1446	October 26, 2022
Actix web CORS errors help	1	732	March 17, 2023
Actix-web an application-wide adhoc middleware to set a response header for all routes help	3	638	May 22, 2024

Actix-web Cors with custom header : I can get the header

Related topics