I noticed that responses always include the Access-Control-Expose-Headers header even if Options.ExposedHeaders is not set. Running one of the examples, such as examples/gorilla/server.go, produces the following response:

$ curl -i -X GET 'http://localhost:8080' --header 'Origin: http://localhost:3000'
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers:
Content-Type: application/json
Vary: Origin
Date: Thu, 28 Sep 2023 00:33:47 GMT
Content-Length: 18

{"hello": "world"}

Is this the correct behavior? I would expect Access-Control-Expose-Headers to be omitted if no Options.ExposedHeaders value is set. If this is indeed a bug, I have a solution and can submit a PR to fix this.