For Spring Boot 2 if you don't want to use global CORS configuration, you can do it by method or class/controller level using @CrossOrigin
adnotation with exposedHeaders
atribute.
For example, to add header authorization
for YourController
methods:
@CrossOrigin(exposedHeaders = "authorization")
@RestController
public class YourController {
...
}