diff --git a/app/controllers/api/application_controller.rb b/app/controllers/api/application_controller.rb
index 5bc60e0..894e50b 100644
--- a/app/controllers/api/application_controller.rb
+++ b/app/controllers/api/application_controller.rb
@@ -9,11 +9,13 @@ class Api::ApplicationController < ApplicationController
       request.headers['Origin'] :
       ''
     headers['Access-Control-Allow-Credentials'] = 'true'
+    headers['Access-Control-Expose-Headers'] = 'Content-Length'
   end
 
   def cor_preflight
     headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE'
-    headers['Access-Control-Allow-Headers'] = 'Content-Type, X-Requested-With'
+    headers['Access-Control-Allow-Headers'] =
+      'Content-Type, Content-Length, X-Requested-With'
 
     head :ok
   end
diff --git a/spec/controllers/api/application_controller_spec.rb b/spec/controllers/api/application_controller_spec.rb
index 3ce0037..4ae8922 100644
--- a/spec/controllers/api/application_controller_spec.rb
+++ b/spec/controllers/api/application_controller_spec.rb
@@ -30,7 +30,7 @@ describe Api::ApplicationController do
       it 'sets Access-Control-Allow-Methods header' do
         options :index
         response.headers['Access-Control-Allow-Headers'].should ==
-          'Content-Type, X-Requested-With'
+          'Content-Type, Content-Length, X-Requested-With'
       end
     end
 
diff --git a/spec/integration/api/cross_origin_request_spec.rb b/spec/integration/api/cross_origin_request_spec.rb
index cbb552b..a17fde2 100644
--- a/spec/integration/api/cross_origin_request_spec.rb
+++ b/spec/integration/api/cross_origin_request_spec.rb
@@ -28,7 +28,7 @@ feature 'API cross origin request' do
     response.headers['Access-Control-Allow-Methods'].should ==
       'GET, POST, PUT, DELETE'
     response.headers['Access-Control-Allow-Headers'].should ==
-      'Content-Type, X-Requested-With'
+      'Content-Type, Content-Length, X-Requested-With'
   end
 
   scenario 'basic request' do
@@ -39,6 +39,7 @@ feature 'API cross origin request' do
 
     response.headers['Access-Control-Allow-Origin'].should == origin
     response.headers['Access-Control-Allow-Credentials'].should == 'true'
+    response.headers['Access-Control-Expose-Headers'].should == 'Content-Length'
   end
 
   scenario 'request without origin' do