All Products
Search
Document Center

CDN:Modify outgoing response headers

Last Updated:Apr 28, 2026

Outgoing response headers are HTTP response components containing parameters that control client caching behavior. By modifying these headers, CDN includes your configured headers in responses to requests for your accelerated domain name. This allows you to implement features such as cross-origin resource sharing (CORS).

Background information

Outgoing response headers are an HTTP protocol mechanism for controlling caching. When a client requests a resource, HTTP response headers from CDN POPs (Points of Presence) allow clients to cache content under specific conditions.

Note
  • HTTP response header configurations are domain-specific. This configuration applies to responses for all resources under the domain name.

  • Configuring HTTP response headers affects only the behavior of clients, such as browsers. It does not affect the caching behavior of CDN POPs. This feature is not supported for wildcard domain names.

Use cases

  • Inform the client of the resource type of a response file: Add the response header Content-Type: text/html to inform the client that the CDN response file is in HTML format.

  • Enable cross-origin resource access: When a user requests resources from a domain name on CDN, you can configure the Access-Control-Allow-Origin response header in the response returned by CDN to enable cross-origin access. For more information, see Configure Cross-Origin Resource Sharing. Alibaba Cloud CDN also supports validating received cross-origin requests based on configured CORS rules to implement more flexible cross-origin resource access control.

  • Customize response behavior: Add or modify custom headers to adjust the content and format of client responses based on your business needs.

Rule execution order

When multiple rules target the same header, rules are applied top to bottom and the last matching rule takes effect.

Example:

Rule

Operation

Header

Value

Result

Rule 1

Add

cache-control

max-age=3600

Applied first

Rule 2

Add

cache-control

no-cache

Applied second, wins

Outcome: cache-control: no-cache

Procedure

  1. Log on to the CDN console.

  2. In the left navigation pane, click Domain Names.

  3. On the Domain Names page, find the target domain name and click Manage in the Actions column.

  4. In the domain's navigation pane, click Cache.

  5. Click the POP HTTP Response Header tab.

  6. Click Customize to modify an outgoing response header.

    The following example shows how to add an outgoing response header.

    Parameter

    Description

    Operation

    The action to perform on the specified response header. You can select Add, Delete, Change, or Replace.

    Response Header

    Select a response header parameter. For more information, see Response header parameters.

    Header Name

    This parameter is available only when Custom is selected for the Response header parameter. A custom header name must meet the following requirements:

    • It can contain letters, digits, and hyphens (-).

    • It must be 1 to 100 characters in length.

    Header Value

    Enter the value of the response header. For more information, see Response header parameters.

    Allow Duplicates

    • Yes: Retains the header from the origin server and adds a new header with the same name.

    • No: The header from the origin server is overwritten by the newly configured header with the same name.

    CORS

    CORS validation is disabled by default. This parameter can be configured only when Operation is set to Add and Response Header is set to Access-Control-Allow-Origin.

    • Enable: When enabled, POPs validate cross-origin requests against your rules. They then respond with an Access-Control-Allow-Origin value based on the validation result.

    • Disable: If you disable CORS validation, POPs do not validate the Origin header in client requests. The POPs respond only with the configured Access-Control-Allow-Origin value.

    For more information about CORS validation rules, see CORS validation rules.

    Rule Condition

    A rule condition determines whether a configuration applies to a request by evaluating various parameters in the request.

    Important

    When a feature references rule conditions configured in the rules engine, the execution order follows the priority of the associated rule conditions, not the order of the feature configurations.

    • Do not use conditions: Disables conditional rules.

    • You can add or edit conditional rules in Rules engine.

  7. Click OK to save the configuration.

    After you modify the outgoing response header, you can find the current configuration in the POP HTTP Response Header list and click Modify or Delete to manage the configuration.

CORS validation rules

Important

The Allow Duplicates and CORS settings are mutually exclusive. If Allow Duplicates is set to Yes, CORS validation is disabled.

  • Wildcard match: When the custom response header Access-Control-Allow-Origin is set to *, the server always returns Access-Control-Allow-Origin:* regardless of whether the request includes the Origin header or what the value of the Origin header is.

  • Exact match: The value of the Access-Control-Allow-Origin response header parameter is set to a single value or multiple values separated by commas (,).

    • If the Origin header in the client request exactly matches a configured value, the response includes the corresponding CORS header.

    • If no exact match is found, the response does not include a CORS header.

  • Wildcard domain name match: If the value of the Access-Control-Allow-Origin response header parameter is set to a wildcard domain name, the POP validates whether the Origin value in the client request header matches the wildcard domain name specified for Access-Control-Allow-Origin.

For more information about how to configure these rules, see Configure CORS.

Response header parameters

Parameter

Description

Example

Custom

Supports custom response headers. A custom header name must meet the following requirements:

  • It can contain letters, digits, and hyphens (-).

  • It must be 1 to 100 characters in length.

Test-Header

Cache-Control

Specifies the caching mechanism that client requests and responses must follow.

no-cache

Content-Disposition

Specifies the default filename when a client saves the requested content as a file.

examplefile.txt

Content-Type

Specifies the content type of the response object for the client.

text/plain

Pragma

A general header defined in HTTP/1.0. This header is typically used in server responses to define client-side caching behavior.

no-cache

Access-Control-Allow-Origin

The Access-Control-Allow-Origin header in an HTTP response indicates which origins can access a resource. It is part of the cross-origin resource sharing (CORS) standard, which specifies which origins can access a resource. The value of this response header can be one of the following types:

  • Wildcard *: A wildcard indicates that resources can be accessed by any origin. This is a lenient approach suitable for publicly accessible resources that do not require authentication or authorization. However, use wildcards with caution in a production environment due to potential security risks such as cross-site request forgery (CSRF).

  • Single specified origin: You can specify a single origin (domain) to allow access only from that origin. Examples: http://example.com or https://api.example.com. The request must originate from the specified origin. Otherwise, the request is denied.

  • *

  • http://www.aliyun.com

Access-Control-Allow-Methods

Specifies the allowed methods for cross-origin requests. Separate multiple methods with commas (,).

POST,GET

Access-Control-Allow-Headers

Specifies the allowed headers for cross-origin requests.

X-Custom-Header

Access-Control-Expose-Headers

Specifies the custom headers that can be accessed by the client.

Content-Length

Access-Control-Allow-Credentials

Specifies whether the browser can expose the response to client-side scripts.

  • true: The response can be exposed.

  • Other values: The response cannot be exposed.

true

Access-Control-Max-Age

Specifies the cache duration of the preflight request result for a specific resource. Unit: seconds.

600

Note
  • You can set the response header value to "*", which indicates any origin.

  • If the response header value is not "*", you can specify one or more IP addresses or domain names. Separate them with commas (,).

  • If the response header value is not "*", the value must start with "http://" or "https://".

  • You can include a port number in the response header value.

  • You can use a wildcard domain name as the response header value.

FAQ