fix for #691

Author: mevdschee

README.md

@@ -614,10 +614,10 @@ You can tune the middleware behavior using middleware specific configuration par
 - "firewall.reverseProxy": Set to "true" when a reverse proxy is used ("")
 - "firewall.allowedIpAddresses": List of IP addresses that are allowed to connect ("")
 - "cors.allowedOrigins": The origins allowed in the CORS headers ("*")
-- "cors.allowHeaders": The headers allowed in the CORS request ("Content-Type, X-XSRF-TOKEN")
+- "cors.allowHeaders": The headers allowed in the CORS request ("Content-Type, X-XSRF-TOKEN, X-Authorization, X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File")
 - "cors.allowMethods": The methods allowed in the CORS request ("OPTIONS, GET, PUT, POST, DELETE, PATCH")
 - "cors.allowCredentials": To allow credentials in the CORS request ("true")
-- "cors.exposeHeaders": Whitelist headers that browsers are allowed to access ("")
+- "cors.exposeHeaders": Whitelist headers that browsers are allowed to access ("X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File")
 - "cors.maxAge": The time that the CORS grant is valid in seconds ("1728000")
 - "xsrf.excludeMethods": The methods that do not require XSRF protection ("OPTIONS,GET")
 - "xsrf.cookieName": The name of the XSRF protection cookie ("XSRF-TOKEN")