Document `Directus-File-Id header` for TUS needs `CORS_EXPOSED_HEADERS` set for external domains

[julbd]

Describe the Bug

With TUS file uploads, a Directus-File-Id HTTP header is returned instead of a proper response object. But it took me several hours to understand why i could not access it on the browser side, because I simply forget to set :

CORS_EXPOSED_HEADERS: "Directus-File-Id"

I don't know the potential security issues with enabling this by default, so I'm only asking this as a question : should the api return Access-Control-Expose-Headers: Directus-File-Id alongside the header ?

To Reproduce

…

Directus Version

v11.16.1

Hosting Strategy

Self-Hosted (Docker Image)

Database

No response

[linear]

CMS-2031

EDU-513

[bellahadid27211-lab]

Thank you for the detailed report

…

On Tue, Mar 17, 2026, 8:54 PM linear[bot] ***@***.***> wrote: *linear[bot]* left a comment (directus/docs#599) <#599 (comment)> CMS-2031 <https://linear.app/directus/issue/CMS-2031/should-directus-expose-directus-file-id-header-after-tus-file-upload> — Reply to this email directly, view it on GitHub <#599 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/B72GQMILPDSTC34LQT4WRLD4RG3QXAVCNFSM6AAAAACWVNI2L6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DANZXHE2DSNBSGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ComfortablyCoding]

Ideally, this isn’t something we should expose by default. It would be more appropriate to highlight it in the documentation, so I’ll move it there.