Outgoing response headers are HTTP response components containing parameters that control client caching behavior. By modifying these headers, CDN includes your configured headers in responses to requests for your accelerated domain name. This allows you to implement features such as cross-origin resource sharing (CORS).
Background information
Outgoing response headers are an HTTP protocol mechanism for controlling caching. When a client requests a resource, HTTP response headers from CDN POPs (Points of Presence) allow clients to cache content under specific conditions.
HTTP response header configurations are domain-specific. This configuration applies to responses for all resources under the domain name.
Configuring HTTP response headers affects only the behavior of clients, such as browsers. It does not affect the caching behavior of CDN POPs. This feature is not supported for wildcard domain names.
Use cases
Inform the client of the resource type of a response file: Add the response header
Content-Type: text/htmlto inform the client that the CDN response file is in HTML format.Enable cross-origin resource access: When a user requests resources from a domain name on CDN, you can configure the
Access-Control-Allow-Originresponse header in the response returned by CDN to enable cross-origin access. For more information, see Configure Cross-Origin Resource Sharing. Alibaba Cloud CDN also supports validating received cross-origin requests based on configured CORS rules to implement more flexible cross-origin resource access control.Customize response behavior: Add or modify custom headers to adjust the content and format of client responses based on your business needs.
Rule execution order
When multiple rules target the same header, rules are applied top to bottom and the last matching rule takes effect.
Example:
Rule | Operation | Header | Value | Result |
Rule 1 | Add |
|
| Applied first |
Rule 2 | Add |
|
| Applied second, wins |
Outcome: cache-control: no-cache
Procedure
-
Log on to the CDN console.
-
In the left navigation pane, click Domain Names.
-
On the Domain Names page, find the target domain name and click Manage in the Actions column.
-
In the domain's navigation pane, click Cache.
Click the POP HTTP Response Header tab.
Click Customize to modify an outgoing response header.
The following example shows how to add an outgoing response header.
Parameter
Description
Operation
The action to perform on the specified response header. You can select Add, Delete, Change, or Replace.
Response Header
Select a response header parameter. For more information, see Response header parameters.
Header Name
This parameter is available only when Custom is selected for the Response header parameter. A custom header name must meet the following requirements:
It can contain letters, digits, and hyphens (-).
It must be 1 to 100 characters in length.
Header Value
Enter the value of the response header. For more information, see Response header parameters.
Allow Duplicates
Yes: Retains the header from the origin server and adds a new header with the same name.
No: The header from the origin server is overwritten by the newly configured header with the same name.
CORS
CORS validation is disabled by default. This parameter can be configured only when Operation is set to Add and Response Header is set to Access-Control-Allow-Origin.
Enable: When enabled, POPs validate cross-origin requests against your rules. They then respond with an
Access-Control-Allow-Originvalue based on the validation result.Disable: If you disable CORS validation, POPs do not validate the Origin header in client requests. The POPs respond only with the configured Access-Control-Allow-Origin value.
For more information about CORS validation rules, see CORS validation rules.
Rule Condition
A rule condition determines whether a configuration applies to a request by evaluating various parameters in the request.
ImportantWhen a feature references rule conditions configured in the rules engine, the execution order follows the priority of the associated rule conditions, not the order of the feature configurations.
Do not use conditions: Disables conditional rules.
You can add or edit conditional rules in Rules engine.
Click OK to save the configuration.
After you modify the outgoing response header, you can find the current configuration in the POP HTTP Response Header list and click Modify or Delete to manage the configuration.
CORS validation rules
The Allow Duplicates and CORS settings are mutually exclusive. If Allow Duplicates is set to Yes, CORS validation is disabled.
Wildcard match: When the custom response header
Access-Control-Allow-Originis set to*, the server always returnsAccess-Control-Allow-Origin:*regardless of whether the request includes theOriginheader or what the value of theOriginheader is.Exact match: The value of the
Access-Control-Allow-Originresponse header parameter is set to a single value or multiple values separated by commas (,).If the
Originheader in the client request exactly matches a configured value, the response includes the corresponding CORS header.If no exact match is found, the response does not include a CORS header.
Wildcard domain name match: If the value of the
Access-Control-Allow-Originresponse header parameter is set to a wildcard domain name, the POP validates whether the Origin value in the client request header matches the wildcard domain name specified forAccess-Control-Allow-Origin.
For more information about how to configure these rules, see Configure CORS.
Response header parameters
Parameter | Description | Example |
Custom | Supports custom response headers. A custom header name must meet the following requirements:
| Test-Header |
Cache-Control | Specifies the caching mechanism that client requests and responses must follow. | no-cache |
Content-Disposition | Specifies the default filename when a client saves the requested content as a file. | examplefile.txt |
Content-Type | Specifies the content type of the response object for the client. | text/plain |
Pragma | A general header defined in HTTP/1.0. This header is typically used in server responses to define client-side caching behavior. | no-cache |
Access-Control-Allow-Origin | The
|
|
Access-Control-Allow-Methods | Specifies the allowed methods for cross-origin requests. Separate multiple methods with commas ( | POST,GET |
Access-Control-Allow-Headers | Specifies the allowed headers for cross-origin requests. | X-Custom-Header |
Access-Control-Expose-Headers | Specifies the custom headers that can be accessed by the client. | Content-Length |
Access-Control-Allow-Credentials | Specifies whether the browser can expose the response to client-side scripts.
| true |
Access-Control-Max-Age | Specifies the cache duration of the preflight request result for a specific resource. Unit: seconds. | 600 |
You can set the response header value to "*", which indicates any origin.
If the response header value is not "*", you can specify one or more IP addresses or domain names. Separate them with commas (,).
If the response header value is not "*", the value must start with "http://" or "https://".
You can include a port number in the response header value.
You can use a wildcard domain name as the response header value.