diff --git a/cors.go b/cors.go
index 5da63c8..105c30d 100644
--- a/cors.go
+++ b/cors.go
@@ -17,10 +17,12 @@ var (
 		"X-Amz-User-Agent",
 		"X-CSRF-Token",
 		"x-amz-acl",
+		"x-amz-content-sha256",
 		"x-amz-meta-filename",
 		"x-amz-meta-from",
 		"x-amz-meta-private",
 		"x-amz-meta-to",
+		"x-amz-security-token",
 	}
 	corsHeadersString = strings.Join(corsHeaders, ", ")
 )
@@ -34,6 +36,7 @@ func (s *withCORS) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 	w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, HEAD")
 	w.Header().Set("Access-Control-Allow-Headers", corsHeadersString)
+	w.Header().Set("Access-Control-Expose-Headers", "ETag")
 
 	if r.Method == "OPTIONS" {
 		return