When the cache on a CDN/ point of presence (POP) expires or a cache miss occurs, the CDN/ POP requests the latest content from the origin server. The content and HTTP headers returned by the origin server are called origin response headers. You can modify these headers on your origin server to define a cache policy, configure Cross-Origin Resource Sharing (CORS), and more. This allows you to optimize website loading speed, enhance content security, control resource accessibility, and improve the user experience.
Background
HTTP response headers are components of an HTTP response that carry specific parameters to the client.
When content requested by an end user is not cached on a CDN node, the CDN performs an origin fetch, and the origin server sends a response. You can modify the HTTP headers in this inbound response. For example, you can rewrite the value of the Content-Type header before it is passed to the client to ensure proper parsing. If the origin server returns an incorrect Content-Type value, the client may fail to parse the content correctly. You can resolve this issue by rewriting the header on the CDN.
-
An inbound response is the HTTP message that an origin server sends to a CDN node. Modifying inbound response headers only affects the HTTP message sent from the origin server to the CDN node; it does not affect responses the CDN node serves to the end user.
-
You cannot modify inbound response headers for wildcard domains.
Use cases
Here are common use cases and examples:
-
Incorrect content type: If the content type (
Content-Type) returned by the origin server does not match the actual content, the client may be unable to parse it correctly. For example, an HTML file may be incorrectly marked as plain text. You can resolve this issue by configuring the origin response header.Example: Change
Content-Type: text/plaintoContent-Type: text/html. -
Cache policy control: If you need fine-grained control over the CDN caching policy, you can adjust the
Cache-ControlorExpiresfields in the origin server's response headers. This helps optimize the content update frequency and cache hit rate.Example: Change
Cache-Control: max-age=3600toCache-Control: max-age=86400to extend the cache expiration time. For more information about the default cache rules of CDN, see Alibaba Cloud CDN Default Cache Rules and Priorities. -
Cross-Origin Resource Sharing (CORS): If you want to allow web applications from other domains to access resources hosted on the CDN, you must configure the
Access-Control-Allow-Originheader and other related CORS headers on the origin server. These settings ensure that when a browser performs a cross-origin request, the CDN can provide the appropriate response headers to the client to prevent CORS errors. For more information about cross-origin access issues, see Configure Cross-Origin Resource Sharing.Examples:
-
Access-Control-Allow-Origin: *: Allows cross-origin resource requests from all domains. -
Access-Control-Allow-Methods: GET, POST, OPTIONS: Specifies the HTTP methods that are allowed for cross-origin requests.
-
-
Compressed transfer: If the origin server supports compressed transfer but has not enabled it, or if the compression algorithm used is not the most efficient, you can set the
Accept-Encodingin the back-to-origin response header to instruct the origin server to use the optimal compression method.Example: Change
Accept-Encoding: gzip, deflatetoAccept-Encoding: brto prioritize Brotli compression. For more information, see Brotli Compression. -
Redirection: When your origin server needs to redirect a user to another URL, you can set the correct redirection headers in the origin response header. For more information, see Configure 301/302 redirect following.
Example:
Location: https://www.example.com/new-page.html: Notifies the CDN and the user's browser of the new resource location for 301 or 302 redirection. -
Custom origin behavior: You may need to add custom headers to the response to implement specific functions or for tracking purposes.
Notes
-
Multiple configurations are executed from top to bottom in the order they appear in the configuration list. The effects are cumulative. If multiple configurations modify the same header, the last one takes precedence. In the following example, Configuration 2 is the one that takes effect:
-
Configuration 1: Add the HTTP response header:
cache-control: max-age=3600 -
Configuration 2: Add the HTTP response header:
cache-control: no-cache
-
-
When rule conditions are applied, matching is determined by the priority of the conditions, not the order of the configurations.
Procedure
-
Log on to the CDN console.
-
In the left navigation pane, click Domain Names.
-
On the Domain Names page, find the target domain name and click Manage in the Actions column.
-
In the domain's navigation pane, click Origin Fetch.
-
Click the Modify Incoming Response Header tab.
-
Click Customize.
-
Modify the ingress response header settings.
ImportantIf multiple operations apply to the same origin response header parameter, the operations are executed based on the following priority: Replace > Add > Change and Delete. For example, if both an add and a delete operation are configured for the same parameter, the add operation is executed before the delete operation.
Add response header
Delete response header
Modify response header
Replace response header
-
Click OK.
Default response headers
Alibaba Cloud CDN sets four response headers by default: Cache-Control, Content-Type, Expires, and Last-Modified. These essential HTTP protocol headers control caching, define content types, set expiration times, and record the last modified time of resources.
|
Header |
Description |
Example |
|
Cache-Control |
Controls the caching behavior and duration of a resource. It provides caching directives for POPs and client browsers, specifying when to cache content, for how long, and when it becomes stale. This header takes precedence over the legacy |
|
|
Content-Type |
Specifies the media type of a resource. This header helps the client browser interpret and render the data correctly. The CDN also uses this header to process and transfer content. |
|
|
Expires |
Specifies the date and time when the resource expires. The CDN uses this header to determine if the resource is still valid. If expired, the CDN performs an origin fetch to retrieve an updated version. The |
|
|
Last-Modified |
Indicates the time when the resource was last modified. The CDN and client browsers use this response header to determine if a cached resource is still up-to-date. |
|
Configuration examples
Example 1: Set a response MIME type
Use case
Set a specific MIME type for a response.
MIME types include the following main categories:
-
Text: Includes text files (such as .txt and .csv) and HTML files (such as .html, .htm, and .shtml).
-
Image: Includes common image files (such as .jpg, .png, and .gif).
-
Audio: Includes audio files (such as .mp3 and .wav).
-
Video: Includes video files (such as .mp4 and .avi).
-
Application: Includes application files (such as .pdf, .doc, and .xls).
Configuration
-
Response header operation: Add
-
Header name: Content-Type
-
Header value: text/html
Set Allow Duplicates to Do not allow and Rule Condition to Do not use, then click OK.
Result: The POP adds the Content-Type: text/html header to the response from the origin server. If you configure this header again, the new value overwrites the existing one.
Example 2: Delete a response header
Use case
Deleting a response header.
Configuration
-
Response header operation: Delete
-
Header name: Content-Type
Set Allow Duplicates to Do not allow and Rule Condition to Do not use, then click OK.
Result: The POP removes the Content-Type header from the response before returning it to the client.
If you apply the configurations from both Example 1 and Example 2, the system first adds and then deletes the Content-Type: text/html response header. As a result, the client receives the response without a specified MIME type.