Skip to content

fix(clients): remove invalid Access-Control-Expose-Headers request header #724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(clients): remove invalid Access-Control-Expose-Headers request header #724

wants to merge 1 commit into from

Conversation

@madisoncarter1234
Copy link
Contributor

@madisoncarter1234 madisoncarter1234 commented Dec 5, 2025

Summary

  • Removes the incorrect Access-Control-Expose-Headers header from client request headers in x402-fetch, x402-axios, and Python clients (httpx, requests)
  • This header is a RESPONSE header per the CORS spec and has no effect when sent in a request
  • Server-side middlewares are responsible for setting this header in their responses

Background

Access-Control-Expose-Headers is a CORS response header that tells browsers which headers from the response are accessible to JavaScript. Setting it as a request header does nothing.

The fix removes the header from:

  • typescript/packages/x402-fetch/src/index.ts
  • typescript/packages/x402-axios/src/index.ts
  • python/x402/src/x402/clients/httpx.py
  • python/x402/src/x402/clients/requests.py

Test plan

  • Updated unit tests to remove expectations for this header
  • Existing tests should still pass as the functionality is unchanged (the header never did anything)

@madisoncarter1234
fix(clients): remove invalid Access-Control-Expose-Headers request he…
45275ee 
…ader

The x402-fetch, x402-axios, and Python (httpx, requests) clients were
setting Access-Control-Expose-Headers as a REQUEST header. This is
incorrect - Access-Control-Expose-Headers is a RESPONSE header that
only makes sense when set by the server, not the client.

Setting this header in a request has no effect on CORS behavior.
The server-side middlewares are responsible for setting this header
in their responses to allow browser clients to access the
X-PAYMENT-RESPONSE header.
@vercel
Copy link

vercel bot commented Dec 5, 2025

@madisoncarter1234 is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

@cb-heimdall
Copy link

cb-heimdall commented Dec 5, 2025

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 1
Sum 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@madisoncarter1234 @cb-heimdall