diff --git a/src/main/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsConfigurationMapper.java b/src/main/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsConfigurationMapper.java
index 0aa9260c..c787fb34 100644
--- a/src/main/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsConfigurationMapper.java
+++ b/src/main/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsConfigurationMapper.java
@@ -5,6 +5,7 @@
 import com.contentgrid.gateway.runtime.web.ContentGridRuntimeHeaders;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpHeaders;
 import org.springframework.web.cors.CorsConfiguration;
 
 @RequiredArgsConstructor
@@ -12,7 +13,9 @@ class RuntimeCorsConfigurationMapper implements CorsConfigurationMapper {
 
     private final List<String> exposedHeaders = List.of(
             ContentGridRuntimeHeaders.CONTENTGRID_APPLICATION_ID,
-            ContentGridRuntimeHeaders.CONTENTGRID_DEPLOYMENT_ID
+            ContentGridRuntimeHeaders.CONTENTGRID_DEPLOYMENT_ID,
+
+            HttpHeaders.CONTENT_DISPOSITION
     );
 
     @Override
diff --git a/src/test/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsWebFilterTest.java b/src/test/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsWebFilterTest.java
index cc65f23c..bbf88a85 100644
--- a/src/test/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsWebFilterTest.java
+++ b/src/test/java/com/contentgrid/gateway/runtime/cors/RuntimeCorsWebFilterTest.java
@@ -146,6 +146,10 @@ void corsRequest_allowed_validOrigin() {
         assertThat(response.getHeaders()).containsEntry(HttpHeaders.VARY,
                 List.of(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD,
                         HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
-        assertThat(response.getHeaders().getAccessControlExposeHeaders()).contains(ContentGridRuntimeHeaders.CONTENTGRID_APPLICATION_ID, ContentGridRuntimeHeaders.CONTENTGRID_DEPLOYMENT_ID);
+        assertThat(response.getHeaders().getAccessControlExposeHeaders())
+                .containsExactlyInAnyOrder(
+                        ContentGridRuntimeHeaders.CONTENTGRID_APPLICATION_ID,
+                        ContentGridRuntimeHeaders.CONTENTGRID_DEPLOYMENT_ID,
+                        HttpHeaders.CONTENT_DISPOSITION);
     }
 }