diff --git a/pygeoapi/flask_app.py b/pygeoapi/flask_app.py
index 1c5676af0..12fc30dbd 100644
--- a/pygeoapi/flask_app.py
+++ b/pygeoapi/flask_app.py
@@ -86,7 +86,7 @@
 if CONFIG['server'].get('cors', False):
     try:
         from flask_cors import CORS
-        CORS(APP, CORS_EXPOSE_HEADERS=['*'])
+        CORS(APP, expose_headers='*')
     except ModuleNotFoundError:
         print('Python package flask-cors required for CORS support')
 
diff --git a/tests/api/test_api.py b/tests/api/test_api.py
index bee15c1b5..d14ae13ab 100644
--- a/tests/api/test_api.py
+++ b/tests/api/test_api.py
@@ -280,6 +280,9 @@ def test_apirules_active(config_with_rules, rules_api):
         assert response.status_code == 200
         response = flask_client.get(flask_prefix)
         assert response.status_code in (307, 308)
+        # Ensure that the expose-headers are set regardless of
+        # whether apirules are active or not
+        assert response.headers['Access-Control-Expose-Headers'] == '*'
 
         # Test links on landing page for correct URLs
         response = flask_client.get(flask_prefix, follow_redirects=True)
@@ -342,6 +345,9 @@ def test_apirules_inactive(config, api_):
                flask_client.application.url_for('pygeoapi.conformance')
         response = flask_client.get('/static/img/pygeoapi.png')
         assert response.status_code == 200
+        # Ensure that the expose-headers are set regardless of
+        # whether apirules are active or not
+        assert response.headers['Access-Control-Expose-Headers'] == '*'
 
         # Test trailing slashes
         response = flask_client.get('/')