HTTP response headers are a component of the header section in response messages transmitted over HTTP. HTTP response headers bring specific parameters to clients. You can create custom response headers and enable Alibaba Cloud CDN to return specified response headers so that certain features such as cross-origin resource sharing (CORS) can be implemented.
Scenario 1: Specify the type of resource returned to the clients. For example, you can add the Content-Type: text/html response header to inform clients that the file returned is in the HTML format.
Scenario 2: Enable CORS. If you want to request resources from a domain name accelerated by Alibaba Cloud CDN, you can add the Access-Control-Allow-Origin header to the responses to perform CORS. For more information, see Configure CORS. In addition, Alibaba Cloud CDN allows you to enable verification on cross-origin requests based on custom CORS rules. This regulates access control for CORS.
- The configuration of an HTTP response header applies to a domain name. After you configure an HTTP response header, the configuration of the response header takes effect for all responses returned from the domain name.
- An HTTP response header affects only the response behavior of clients, such as browsers. An HTTP response header does not affect the caching behavior of Alibaba Cloud CDN points of presence (POPs). You cannot configure a custom HTTP response header for wildcard domain names.
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
- In the left-side navigation pane of the domain name, click Cache.
- Click the Custom HTTP Response Header tab.
- Click Customize and set the parameters. In the following example, a custom HTTP response header is created.
Parameter Description Operation You can add, delete, change, or replace a response header. Response Header Select a response header. For more information, see Response headers. Header Name If you select Custom, you must specify a header name. The name of the response header must be specified based on the following rules:
- The name must contain letters, digits, and hyphens (-).
- The name must be 1 to 100 characters in length.
Header Value Specify a value for the response header. For more information, see Response headers. Allow Duplicates
- Yes: Duplicate headers are allowed. Duplicate headers added in the Alibaba Cloud CDN console and returned from the origin server are all retained.
- No: Duplicate headers are not allowed. The header added in the Alibaba Cloud CDN console overwrites the duplicate header returned from the origin server.
CORS By default, CORS is disabled. You can configure CORS verification only if Operation is set to Add and Response Header is set to Access-Control-Allow-Origin.
Note CORS authentication rules:
- Enable: After CORS is enabled, Alibaba Cloud CDN POPs check the Origin header of user requests based on the following rules and specify a value for Access-Control-Allow-Origin.
- Disable: After CORS authentication is disabled, Alibaba Cloud CDN POPs do not check the Origin header of user requests. In this case, Alibaba Cloud CDN POPs only return the value of Access-Control-Allow-Origin.
Allow Duplicates and CORS are mutually exclusive. If Allow Duplicates is set to Yes, CORS becomes invalid.
- Wildcard pattern match: If the Access-Control-Allow-Origin header is set to an asterisk (*), Access-Control-Allow-Origin:* is returned regardless of whether user requests contain the Origin header or the value to which the Origin header is set.
- Exact match: You can set the Access-Control-Allow-Origin header to one or more values. Separate values with commas (,).
- If the value of the Origin header in a user request matches a value of Access-Control-Allow-Origin, the value of Access-Control-Allow-Origin is returned.
- If the Origin value does not match any of the specified values, no response header is returned.
- Wildcard domain name match: If the Access-Control-Allow-Origin header is set to a wildcard domain name, the value of the Origin header is matched against the wildcard domain name.
For more information, see Configure CORS.
- Click OK.
After a custom response header is created, it is displayed on the Custom HTTP Response Header tab. You can Modify or Delete the header.
|Custom HTTP response header||Allows you to create a custom response header based on your business requirements. The name of the response header must be specified based on the following rules:||Test-Header|
|Cache-Control||Specifies the cache rule that requests and responses follow.||no-cache|
|Content-Disposition||Specifies the default file name if the retrieved content is saved as a file on the client.||examplefile.txt|
|Content-Type||Specifies the media type of the resource returned to clients.||text/plain|
|Pragma||Pragma is an HTTP/1.0 general-type header. It is used to carry cache control directives in server responses.||no-cache|
|Access-Control-Allow-Origin||Specifies the origin servers with which the response can be shared. You can enter an asterisk (*) in the Header Value field to specify all domain names. You can also enter a specific domain name, for example, |
|Access-Control-Allow-Methods||Specifies the request methods that you can use in cross-origin requests. You can specify one or more request methods. Separate request methods with commas (,).||POST,GET|
|Access-Control-Allow-Headers||Specifies the header fields that you can use in cross-origin requests.||X-Custom-Header|
|Access-Control-Expose-Headers||Specifies the headers that can be exposed as part of the response.||Content-Length|
|Access-Control-Allow-Credentials||Specifies whether browsers can expose responses to the frontend page. ||true|
|Access-Control-Max-Age||Specifies how long the results of a preflight request can be cached, in seconds.||600|