HTTP response headers are a component of the header section in response messages that are transmitted over HTTP. HTTP response headers deliver specific parameters to clients to manage caching. You can configure HTTP response headers and allow Alibaba Cloud CDN to return the configured response headers. This way, specific features, such as cross-origin resource sharing (CORS), can be implemented.
Background information
HTTP response headers can be used to manage caching of content that is transmitted over HTTP. When a client requests a resource, the CDN point of presence (POP) returns HTTP response headers to the client, which allow the client and POPs to cache the response under specific conditions.
The configuration of an HTTP response header applies to a domain name. After you configure an HTTP response header, the configuration of the response header takes effect for responses to all requests destined for your domain name.
An HTTP response header affects only the response behavior of clients, such as browsers. An HTTP response header does not affect the caching behavior of CDN POPs.
Scenarios
Notify clients of the type of the resource that is returned by CDN. For example, you can add the
Content-Type: text/htmlresponse header to inform clients that the file returned from CDN is in the HTML format.Enable CORS. When a user requests resources on a domain name that is accelerated by CDN, you can add the Access-Control-Allow-Origin header to the responses to enable CORS. For more information, see Configure CORS.
In addition, CDN allows you to enable authentication on cross-origin requests based on custom CORS rules to regulate access control for CORS.
Configure custom response behavior. You can add or modify custom headers to modify the content and format of response messages that are returned to clients based on your business requirements. This allows you to implement specific features or track responses.
Usage notes
If multiple rules are configured for the same header, the rules are executed from top to bottom in the configuration list. Examples:
Configuration 1: Add the
cache-control: max-age=3600response header.Configuration 2: Add the
cache-control: no-cacheresponse header.
In the preceding combined configurations, Configuration 2 takes effect.
Procedure
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click Cache.
Click the POP HTTP Response Header tab.
Click Customize.
The following list describes the parameters that you need to configure:
Operation
You can add, delete, change, or replace specific response headers.
Response Header
Select a response header. For more information, see Response headers.
Header Name
If you set the Response Header parameter to Custom, you need to specify a header name based on the following rules:
The name can contain letters, underscores (-), and digits.
The name must be 1 to 100 characters in length.
Header Value
Specify the header value. For more information, see Response headers.
Allow Duplicates
Yes: Duplicate headers are allowed. All duplicate headers that are added in the Alibaba Cloud CDN console and returned from the origin server are retained.
No: Duplicate headers are not allowed. The header that is added in the Alibaba Cloud CDN console overwrites the duplicate header that is returned from the origin server.
CORS
By default, CORS is disabled. You can configure CORS only if you set the Operation parameter to Add and the Response Header parameter to Access-Control-Allow-Origin.
Enable: After you enable CORS, POPs check the Origin header in user requests based on the CORS rules and specify a value for the Access-Control-Allow-Origin header.
Disable: After you disable CORS, POPs do not check the Origin header in user requests. In this case, POPs return the configured value of the Access-Control-Allow-Origin header.
For more information, see CORS rules.
Rule Condition
Rule conditions can identify parameters in a request to determine whether a configuration applies to the request.
Do not use conditions
Select the configured rule conditions in Rules Engine. For more information, see Rules engine.
Click OK.
After you configure an HTTP response header, the HTTP response header is displayed on the POP HTTP Response Header tab. You can click Modify or Delete in the Actions column to modify or delete the header.
CORS rules
The Allow Duplicates and CORS settings are mutually exclusive. If you set the Allow Duplicates parameter to Yes, the setting of CORS becomes invalid.
Wildcard pattern match: If you set the
Access-Control-Allow-Originheader to an asterisk (*),Access-Control-Allow-Origin:*is returned regardless of whether user requests contain theOriginheader or the value to which theOriginheader is set.Exact match: You can specify one or more values for the
Access-Control-Allow-Originheader. Separate the values with commas (,).If the value of the
Originheader in a user request matches a value of theAccess-Control-Allow-Originheader, the matched value of theAccess-Control-Allow-Originheader is returned.If the value of the
Originheader in a user request does not match a value ofAccess-Control-Allow-Origin, theAccess-Control-Allow-Originheader is not returned.
Wildcard domain name match: If you set the
Access-Control-Allow-Originheader to a wildcard domain name, the value of theOriginheader is matched against the wildcard domain name.
For more information, see Configure CORS.
Response headers
The following list describes the response headers:
Custom
Description: You can create a custom response header based on your business requirements. You need to specify the name of the response header based on the following rules:
The name can contain letters, underscores (-), and digits.
The name must be 1 to 100 characters in length.
Example: Test-Header
Cache-Control
Description: The cache rule that requests and responses follow.
Example: no-cache
Content-Disposition
Description: The default file name that is used when the retrieved content is saved as a file on the client.
Example: examplefile.txt
Content-Type
Description: The media type of the resource that is returned to clients.
Example: text/plain
Pragma
Description: Pragma is an HTTP/1.0 general-type header that is used to carry cache control directives in server responses.
Example: no-cache
Access-Control-Allow-Origin
Description: The origins with which the response can be shared. You can use an asterisk (*) as a wildcard character in the Header Value field to specify all domain names. You can also enter a specific domain name, such as
http://www.aliyun.com.Example:
*
http://www.aliyun.com
https://aliyun.com:8080,http://10.10.10.10
http://*.aliyun.com
Access-Control-Allow-Methods
Description: The request methods that you can use in cross-origin requests. You can specify one or more request methods. Separate request methods with commas (,).
Example: POST,GET
Access-Control-Allow-Headers
Description: The header fields that you can use in cross-origin requests.
Example: X-Custom-Header
Access-Control-Expose-Headers
Description: The headers that can be exposed as part of the response.
Example: Content-Length
Access-Control-Allow-Credentials
Description:
Specifies whether browsers can expose responses to the frontend page.
true: Browsers can expose responses to the frontend page.
Other values: Browsers cannot expose responses to the frontend page.
Example: true
Access-Control-Max-Age
Description: The period during which the results of a preflight request can be cached. Unit: seconds.
Example: 600
You can set a header to an asterisk (*), which matches all origins.
You can configure one or more IP addresses, domain names, or combinations of IP addresses and domain names. Separate multiple values with commas (,).
If you do not use an asterisk (*) as a wildcard character for a header, the value must start with http:// or https://.
Port numbers are supported.
Wildcard domain names are supported.