Not a developer? Go to



This is documentation about a configuration directive, which can be placed within Movable Type’s core configuration file, mt-config.cgi, to customize the behavior of the system.

DataAPICORSExposeHeaders is used to specify the Access-Control-Expose-Headers header value sent from the Data API end point.

When retrieving data from external sites using JavaScript’s XMLHttpRequest Level 2  with a web browser or a client application, the returned header information is subject to a number of different Cross Origin Resource Sharing (CORS) security restrictions. Specifically, in order to retrieve customized headers, express permission must be granted through Movable Type using the Access-Control-Allow-Headers header.

If a customized header from a plug-in is set as the response header value, the user must first get permission to use the header from the external site.

If the request is made from a site that is permitted to use the Data API, set-up using the DataAPICORSAllowOrigin configuration directive, and sends an access request, the specified Access-Control-Expose-Headers header will be returned as part of the REST query response. If any of the previous conditions are not true, the Access-Control-Expose-Headers header will not be sent.


DataAPICORSExposeHeaders X-MT-Authorization, X-Requested-With, X-Some-Request-Value

Default Value

DataAPICORSExposeHeaders X-MT-Authorization, X-Requested-With