diff --git a/httpbin/core.py b/httpbin/core.py
index 305c9882..a031b4fc 100644
--- a/httpbin/core.py
+++ b/httpbin/core.py
@@ -217,6 +217,7 @@ def before_request():
 def set_cors_headers(response):
     response.headers["Access-Control-Allow-Origin"] = request.headers.get("Origin", "*")
     response.headers["Access-Control-Allow-Credentials"] = "true"
+    response.headers["Access-Control-Expose-Headers"] = "WWW-Authenticate"
 
     if request.method == "OPTIONS":
         # Both of these headers are only used for the "preflight request"