HTTP response headers are a part of HTTP headers. HTTP headers describe the requested resource, server or client behavior, and the parameters of an operation in an HTTP transaction. Dynamic Route for CDN (DCDN) allows you to configure a custom HTTP response header. If you want to request resources that belong to an accelerated domain name, you can add the configured HTTP response header to responses returned from your origin servers. This way, you can perform cross-origin resource sharing (CORS).

Background information

HTTP headers are components of the header section of requests and responses that are transmitted over HTTP. HTTP headers are grouped based on their contexts, such as general headers, request headers, and response headers.

CORS is a standard cross-origin solution that is provided by HTML 5 to allow web application servers to manage cross-origin access. This solution ensures that data transmission is secure.

Scenarios

If you want to request resources that belong to an accelerated domain name, you can add response headers to responses to perform CORS. After DCDN receives a cross-origin request, CORS rules are triggered to check the permissions. DCDN checks whether each cross-origin request complies with the CORS rules. Then, DCDN uses the first rule that matches the request to process the request and adds a header to the response. If the request fails to match the CORS rules, no header is added to the response.

The configuration of an HTTP response header applies to a domain name. After you configure an HTTP response header, the configuration of this response header takes effect for all responses returned from the domain name. An HTTP response header affects only the response behavior of clients, such as browsers. An HTTP response header does not affect the caching behavior of DCDN nodes. You cannot configure a custom HTTP response header for wildcard domain names.

Procedure

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click Caching.
  5. On the Custom HTTP Response Header tab, click Add and configure the parameters that are described in the following table.
    Configure an HTTP response header
    Parameter Description
    Operation You can add, delete, change, or replace a response header.
    Response Header Select a response header. For more information, see Response headers.
    Description The effect of the HTTP header that you select.
    Header Name If you select Custom Header for the Response Header parameter, you must specify a name for the response header. The name of the response header must be specified based on the following rules:
    • The name must contain letters, digits, and hyphens (-).
    • The name must be 1 to 100 characters in length.
    Header Value Specify a value for the response header. For more information, see Response headers.
    Allow Duplicates
    • Yes: The header that is returned from the origin server and the header that you add whose name is the same are retained.
    • No: The header that you add whose name is the same overwrites the header that is returned from the origin server.
    CORS By default, CORS is disabled. You can configure CORS only when Operation is set to Add and Response Header is set to Access-Control-Allow-Origin.
    • Enable: After CORS is enabled, DCDN nodes check the Origin header of user requests and return a value of Access-Control-Allow-Origin based on the following rules.
    • Disable: After CORS is disabled, DCDN nodes do not check the Origin header of user requests. In this case, DCDN nodes only return the configured value of Access-Control-Allow-Origin.
    Note
    CORS verification rules:
    • If Access-Control-Allow-Origin is set to an asterisk (*), Access-Control-Allow-Origin:* is returned regardless of whether user requests include the Origin header and the value to which the Origin header is set.
    • In scenarios in which Access-Control-Allow-Origin is set to one or more values that are separated with commas (,):
      • If the value of the Origin header in a user request matches a value of Access-Control-Allow-Origin, the value of Access-Control-Allow-Origin is returned.
      • If the value of the Origin header in a user request does not match a value of Access-Control-Allow-Origin, no value of Access-Control-Allow-Origin is returned.
    • If you configure a wildcard domain name for the value of Access-Control-Allow-Origin, DCDN nodes check whether the value of the Origin header in a user request matches the wildcard domain name that is configured for Access-Control-Allow-Origin.

    For more information, see How do I configure CORS for DCDN and what are the notes that I must pay attention to?.

  6. Click OK.

    On the HTTP Header page, you can click Modify or Delete to manage HTTP response headers.

Response headers

Response header Description Example
Custom Header Allows you to configure a custom response header based on your business requirements. The name of the response header must be specified based on the following rules:
  • The name can contain letters, underscores (-), and digits.
  • The name must be 1 to 100 characters in length.
Test-Header
Content-Type Specifies the type of the content that is returned to the client. text/html
Cache-Control Specifies the cache policy that the client uses for requests and responses. no-cache
Content-Disposition Specifies the default file name if the retrieved content is saved as a file on the client. examplefile.txt
Content-Language Specifies the languages intended for the audience. en-US
Expires Specifies the time when the response expires. Wed, 21 Oct 2015 07:28:00 GMT
Pragma The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. Pragma HTTP/1.0 is compatible with HTTP/1.1. no-cache
Access-Control-Allow-Origin Specifies a list of origins that are allowed to make cross-origin requests. If you want to specify all domain names, you can set Access-Control-Allow-Origin to a wildcard character (*). You can also enter a specific domain name, such as http://www.aliyun.com.
Note
  • If you want to specify all domain names, you can set Access-Control-Allow-Origin to a wildcard character (*).
  • You can also configure one or more IP addresses, domain names, or combinations of IP addresses and domain names. Separate multiple IP addresses, domain names, or combinations of IP addresses and domain names with commas (,).
  • If you set Access-Control-Allow-Origin to a value other than an asterisk (*), you must include http:// or https:// in the header.
  • Port numbers are supported for Access-Control-Allow-Origin.
  • Wildcard domain names are supported for the Header Value field.
  • *
  • http://www.aliyun.com
Access-Control-Allow-Methods Specifies the request methods that you can use in cross-origin requests. You can specify multiple request methods. Separate multiple request methods with commas (,). POST,GET
Access-Control-Allow-Headers Specifies the header fields that you can use in cross-origin requests. X-Custom-Header
Access-Control-Max-Age Specifies how long the results of a preflight request can be cached, in seconds. 600
Access-Control-Expose-Headers Specifies the headers that can be exposed as part of the response. Content-Length
Access-Control-Request-Method Informs the server about which HTTP methods are used in the actual request. The Access-Control-Request-Method header is used by browsers when a preflight request is issued. POST
Access-Control-Request-Headers Informs the server about which HTTP headers are used in the actual request. The Access-Control-Request-Headers header is used by browsers when a preflight request is issued. X-PINGOTHER
Access-Control-Allow-Credentials Specifies whether browsers can expose responses to the frontend page.
  • true: Browsers can expose responses to the frontend page.
  • Other values: Browsers cannot expose responses to the frontend page.
true