Add WWW-Authenticate to Access-Control-Expose-Headers and update tests

RossTarrant · RossTarrant · commit 057d1a30877a · 2026-04-21T09:53:17.000+01:00
diff --git a/pkg/http/handler.go b/pkg/http/handler.go
@@ -425,7 +425,7 @@ func SetCorsHeaders(h http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS")
 		w.Header().Set("Access-Control-Max-Age", "86400")
-		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id")
+		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id, WWW-Authenticate")
 		w.Header().Set("Access-Control-Allow-Headers", fmt.Sprintf(
 			"Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, %s, %s, %s, %s, %s, %s, %s, %s",
 			headers.AuthorizationHeader,
diff --git a/pkg/http/handler_test.go b/pkg/http/handler_test.go
@@ -683,6 +683,7 @@ func TestSetCorsHeaders(t *testing.T) {
 		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Lockdown")
 		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Insiders")
 		assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "Mcp-Session-Id")
+		assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "WWW-Authenticate")
 	})
 
 	t.Run("POST request includes CORS headers", func(t *testing.T) {
