HTTP response headers are a component of the header section in response messages transmitted over HTTP. HTTP response headers bring specific parameters to clients. You can create custom response headers and enable Alibaba Cloud CDN to return specified response headers so that certain features such as cross-origin resource sharing (CORS) can be implemented.

Scenarios

Scenario 1: Specify the type of resource returned to the clients. For example, you can add the Content-Type: text/html response header to inform clients that the file returned is in the HTML format.

Scenario 2: Enable CORS. When a user requests resources from a domain name accelerated by Alibaba Cloud CDN, you can add the Access-Control-Allow-Origin header to the responses to enable CORS. For information, see Configure CORS. In addition, Alibaba Cloud CDN allows you to enable authentication on cross-origin requests based on custom CORS rules. This regulates access control for CORS.

Note
  • The configuration of an HTTP response header applies to a domain name. After you configure an HTTP response header, the configuration of the response header takes effect for all responses returned from the domain name.
  • An HTTP response header affects only the response behavior of clients, such as browsers. An HTTP response header does not affect the caching behavior of CDN edge nodes. You cannot create a custom HTTP response header for wildcard domain names.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Cache.
  5. Click the Custom HTTP Response Header tab.
  6. Click Customize and set the parameters.
    In the following example, a custom HTTP response header is created. Create a custom HTTP response header
    Parameter Description
    Operation You can add, delete, change, or replace specified response headers.
    Response Header Select a response header. For more information, see Response headers.
    Header Name If you select Custom, you must specify a header name. Take note of the following rules:
    • The name can contain letters, underscores (-), and digits.
    • The name must be 1 to 100 characters in length.
    Header Value Specify the header value. For more information, see Response headers.
    Allow Duplicates
    • Yes: Duplicate headers are allowed. Duplicate headers added by Alibaba Cloud CDN and returned from the origin server are all retained.
    • No: Duplicate headers are not allowed. The header added by Alibaba Cloud CDN overwrites the duplicate header returned from the origin server.
    CORS By default, CORS authentication is disabled. You can configure CORS authentication only if Operation is set to Add and Response Header is set to Access-Control-Allow-Origin.
    • Enable: After CORS authentication is enabled, CDN edge nodes check the Origin header of user requests based on the following rules and specify a value for Access-Control-Allow-Origin.
    • Disable: After CORS authentication is disabled, CDN edge nodes do not check the Origin header of user requests. In this case, CDN edge nodes only return the value of Access-Control-Allow-Origin.
    Note
    CORS authentication rules:
    • Wildcard pattern match: If the Access-Control-Allow-Origin header is set to an asterisk (*), Access-Control-Allow-Origin:* is returned regardless of whether user requests contain the Origin header or the value to which the Origin header is set.
    • Exact match: You can set the Access-Control-Allow-Origin header to one or more values. Separate values with commas (,).
      • If the Origin value of a request header is an exact match of one of the specified values, a response header with the destination origin is returned.
      • If the Origin value does not match any of the specified values, no response header is returned.
    • Wildcard domain name match: If the Access-Control-Allow-Origin header is set to a wildcard domain name, the value of the Origin header is matched against the wildcard domain name.

    For more information, see Configure CORS.

  7. Click OK.

    After a custom response header is created, it is displayed on the Custom HTTP Response Header tab. You can Modify or Delete the header.

Response headers

Response header Description Example
Custom Allows you to create a custom response header based on your business requirements. Take note of the following rules:
  • The name can contain letters, underscores (-), and digits.
  • The name must be 1 to 100 characters in length.
Test-Header
Cache-Control Specifies the cache rule that requests and responses follow. no-cache
Content-Disposition Specifies the default file name when the retrieved content is saved as a file on the client program. examplefile.txt
Content-Type Specifies the media type of the resource returned to clients. text/plain
Pragma Pragma is an HTTP/1.0 general-type header. It is used to carry cache control directives in server responses. no-cache
Access-Control-Allow-Origin Specifies the origin servers with which the response can be shared. You can enter an asterisk (*) in the Header Value field to specify all domain names. You can also enter a specific domain name, for example, http://www.aliyun.com.
Note
  • You can set this header to an asterisk (*), which matches all domain names.
  • If this header is not set to an asterisk (*), you can configure one or more IP addresses and domain names. Separate IP addresses and domain names with commas (,).
  • If this header is not set to an asterisk (*), the value must start with http:// or https://.
  • Port numbers are supported.
  • Wildcard domain names are supported.
  • *
  • http://www.aliyun.com
  • https://aliyun.com:8080,http://10.10.10.10
  • http://*.aliyun.com
Access-Control-Allow-Methods The cross-origin request method that is allowed. You can specify one or more request methods. Separate request methods with commas (,). POST,GET
Access-Control-Allow-Headers Specifies the header fields that can be used in cross-origin requests. X-Custom-Header
Access-Control-Expose-Headers Allows a server to specify which response headers are available to scripts that are running in the browser. Content-Length
Access-Control-Allow-Credentials Specifies whether browsers can expose responses to frontend JavaScript code.
  • true: Browsers can expose responses to frontend JavaScript code.
  • Other values: Browsers cannot expose responses to frontend JavaScript code.
true
Access-Control-Max-Age Specifies how long the results of a preflight request can be cached, in seconds. 600

Related API operations

BatchSetCdnDomainConfig