How to Fix: Refused to Get Unsafe Header

Reynaldi
Reynaldi •

On This Page

In this article, you will learn how to fix the “Refused to get unsafe header” error in JavaScript. The error happens when you try to read a response header that the server hasn’t exposed via Access-Control-Expose-Headers.

Instant Fix for “Refused to Get Unsafe Header”

Use Corsfix to fix the “Refused to get unsafe header” error when you don’t control the server. Corsfix exposes all response headers automatically, so your JavaScript can read every header the API sends back.

const xhr = new XMLHttpRequest();
xhr.open("GET", "https://proxy.corsfix.com/?https://api.example.com/data");
xhr.onload = function () {
  const rateLimit = xhr.getResponseHeader("X-RateLimit-Remaining");
  console.log(rateLimit); // ✅ works
};
xhr.send();

For local development, this works instantly without registration. For live websites, set up your domain (takes 30 seconds).

Why This Error Happens

On cross-origin requests, the browser only lets JavaScript read a small set of response headers by default. These are called CORS-safelisted response headers:

  • Cache-Control
  • Content-Language
  • Content-Length
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma

Any header outside this list is blocked unless the server explicitly includes it in Access-Control-Expose-Headers. When your code calls xhr.getResponseHeader() for a non-exposed header, the browser throws the “Refused to get unsafe header” error.

A common gotcha: the header shows up in the DevTools Network tab, but JavaScript still can’t access it. DevTools has privileged access and ignores CORS restrictions. Your code doesn’t.

This only affects cross-origin requests. Same-origin requests can read all response headers freely.

Fix If You Control the Server

If you own the API, add Access-Control-Expose-Headers to your response:

Access-Control-Expose-Headers: X-RateLimit-Remaining, X-RateLimit-Limit

Or use a wildcard to expose all headers:

Access-Control-Expose-Headers: *

This tells the browser it’s safe for JavaScript to read those headers. No proxy needed.

When this isn’t an option — third-party APIs, external services, or APIs you simply can’t modify — a proxy like Corsfix is the easiest solution.

Common Headers That Trigger This

These are the headers that most commonly cause “Refused to get unsafe header”:

  • Content-Disposition — needed when downloading files to get the filename
  • X-RateLimit-Remaining, X-RateLimit-Limit, X-RateLimit-Reset — API rate limiting info your frontend needs to display or handle
  • Link — used for pagination in APIs that follow the RFC 5988 pattern
  • X-Total-Count — common custom header for total item count in paginated responses
  • X-Request-Id — useful for debugging and correlating requests with server logs

All of these work fine in server-side environments like Node.js. The restriction is purely a browser CORS policy.

Conclusion

Fix “Refused to get unsafe header” by adding Access-Control-Expose-Headers on your server, or using a proxy like Corsfix when you can’t modify the API. Unlike forbidden request headers, this is a server configuration issue, not a hard browser restriction. The server just needs to tell the browser which response headers JavaScript is allowed to read.

It's time to build great websites without CORS errors

Try our CORS proxy for free, all features included.

Fix CORS errorsNo credit card required.