diff --git a/securing_apps/topics/oidc/java/java-adapter-config.adoc b/securing_apps/topics/oidc/java/java-adapter-config.adoc
index 5d9f94e1fe..4b8110b87e 100644
--- a/securing_apps/topics/oidc/java/java-adapter-config.adoc
+++ b/securing_apps/topics/oidc/java/java-adapter-config.adoc
@@ -17,6 +17,7 @@ This is what one might look like:
   "enable-cors" : true,
   "cors-max-age" : 1000,
   "cors-allowed-methods" : "POST, PUT, DELETE, GET",
+  "cors-exposed-headers" : "WWW-Authenticate, My-custom-exposed-Header",
   "bearer-only" : false,
   "enable-basic-auth" : false,
   "expose-token" : true,
@@ -103,6 +104,12 @@ cors-allowed-headers::
   This is _OPTIONAL_.
   If not set, this header is not returned in CORS responses.
 
+cors-exposed-headers::
+  If CORS is enabled, this sets the value of the `Access-Control-Expose-Headers` header.
+  This should be a comma-separated string.
+  This is _OPTIONAL_.
+  If not set, this header is not returned in CORS responses.
+
 bearer-only::
   This should be set to _true_ for services. If enabled the adapter will not attempt to authenticate users, but only verify bearer tokens.
   This is _OPTIONAL_.