From adc8dcd3f4bb2e2161233016fcac9ea7c19692c1 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 13 Jul 2026 22:14:15 +0000 Subject: [PATCH] docs(proxy): document LITELLM_CORS_EXPOSE_HEADERS env var --- docs/proxy/config_settings.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/proxy/config_settings.md b/docs/proxy/config_settings.md index b0626006..052c10ac 100644 --- a/docs/proxy/config_settings.md +++ b/docs/proxy/config_settings.md @@ -902,6 +902,7 @@ router_settings: | LITELLM_CLI_JWT_EXPIRATION_HOURS | Expiration time in hours for CLI-generated JWT tokens. Default is 24 hours | LITELLM_CLI_SSO_CLAIM_MAP | Alias for `CLI_SSO_CLAIM_MAP` — allowlisted OIDC claims for CLI SSO attribution metadata | LITELLM_CORS_ALLOW_CREDENTIALS | Set to `true` to explicitly allow credentials in CORS responses. When not set, credentials are disabled automatically if `LITELLM_CORS_ORIGINS` is `*` (wildcard) to prevent the browser security misconfiguration of reflecting any origin with credentials +| LITELLM_CORS_EXPOSE_HEADERS | Comma-separated list of additional response headers to expose via `Access-Control-Expose-Headers`, so browser clients calling the proxy cross-origin can read them (e.g. `x-litellm-response-cost,x-litellm-model-api-base`). Appended to the built-in defaults; when not set only the defaults are exposed | LITELLM_CORS_ORIGINS | Comma-separated list of allowed CORS origins (e.g. `https://app.example.com,https://admin.example.com`). Defaults to `*` (all origins) when not set | LITELLM_DD_AGENT_HOST | Hostname or IP of DataDog agent for LiteLLM-specific logging. When set, logs are sent to agent instead of direct API | LITELLM_DEPLOYMENT_ENVIRONMENT | Environment name for the deployment (e.g., "production", "staging"). Used as a fallback when OTEL_ENVIRONMENT_NAME is not set. Sets the `environment` tag in telemetry data