All Products
Search

This Product

    Edge Security Acceleration:Modify outgoing response headers

    Document Center

    Edge Security Acceleration:Modify outgoing response headers

    Last Updated:Dec 24, 2025

    An outgoing response header is part of an HTTP response message that an Edge Security Acceleration (ESA) point od presence (POP) sends to a client. You can configure outgoing response headers on a POP to control which headers are returned with resources. ESA lets you add, modify, and delete outgoing response header rules.

    How it works

    When a client requests a resource, the request first reaches an ESA POP. If the request misses the cache on the ESA POP, the POP sends an origin fetch request to the origin server to retrieve the data. After the origin server returns the data, the ESA POP modifies the original response based on your configured response header rules, such as adding, replacing, or deleting specific headers. Finally, the POP returns the complete resource with the modified response headers to the client. This process helps you implement cross-origin access control, optimize cache policies, and meet other business requirements.

    image

    Use cases

    • Inform the client of the resource type returned by ESA: Add a response header such as Content-Type: text/html. This informs the client that the file format from ESA is HTML, which allows the client to render it correctly.

    • Enable cross-origin resource sharing: When a user requests a resource from a domain name served by ESA, you can configure the Access-Control-Allow-Origin response header in the response message from ESA. This enables cross-origin resource sharing. For more information, see Configure cross-origin resource sharing.

    • Customize response behavior: Add or modify custom headers to adjust the content and format of the response that the client receives. This lets you implement specific features or tracking.

    Notes

    If you add multiple rules, they are executed from top to bottom in the order they appear in the list. If a subsequent rule specifies the same response header name, it overwrites the previous rule. This can cause unexpected results.

    Example 1

    • The response message contains the header test:123.

    • A rule adds the header test:321.

    If the response message matches the rule, the original header test:123 is overwritten with test:321.

    Example 2

    • The response message contains the header test:123.

    • A rule adds the header test:321, and another rule is configured to delete the header test.

    If the response message matches the rules, the original header test:123 is deleted.

    Procedure

    After you add a rule, when a user requests a resource, ESA matches and executes rules sequentially based on the rule execution priority.

    1. In the ESA console, choose Websites. In the Website column, click the name of the target site.

    2. In the navigation pane on the left, choose Rules > Transform Rules.

    3. Click the Modify Response Header tab and choose ESA to Client. Click Create Rule and enter a Rule Name.

    4. In the If requests match... section, set the request matching conditions. For more information about how to configure the rules, see Composition of a rule expression.

    5. In the Modify Response Header section, select an Operation, and enter the Response Header Name and Response Header Value.

      Operation

      Type

      Description

      Example

      Add

      Static

      • Adds the specified response header to the response sent to the client.

      • If the response already contains a header with the same name, the new header overwrites the existing one.

      To add a response header with the name x-code and the value key1, configure the following parameters:

      • Response Header Name: x-code

      • Response Header Value: key1

      Dynamic

      The response header value can be set to an expression.

      To add a response header named Client-Ip-Geo-Location with the value ip.geoip.country to record the country or region of the client IP address, configure the following parameters:

      • Response Header Name: Client-Ip-Geo-Location

      • Response Header Value: ip.geoip.country

      Change

      Static

      Updates the value of a specified response header in the response sent to the client.

      To update the response header named x-code to the value key2, configure the following parameters:

      • Response Header Name: x-code

      • Response Header Value: key2

      Dynamic

      The response header value can be set to an expression.

      To update the response header named Client-Ip-Geo-Location to the value ip.geoip.country to change the header value to the country or region of the client IP address, configure the following parameters:

      • Response Header Name: Client-Ip-Geo-Location

      • Response Header Value: ip.geoip.country

      Delete

      Deletes all parameter values that match the Response Header Name from the response sent to the client, regardless of whether there are duplicate response header parameters.

      To delete the response header named x-code, set Response Header Name to x-code.

      Note

      • Do not configure a Response Header Name that starts with ali-inner or ali-swift (case-insensitive).

      • You can configure multiple values for Response Header Value. Separate the values with a comma (,).

      • The delete operation works the same for both static and dynamic modes.

      • The update operation modifies an existing response header. This operation takes effect only if a header with the specified name exists in the original response.

    6. Click OK.

    Dynamic expression examples

    Example 1

    Add a response header to record the originating IP address of the client.

    • Response Header Name: True-Client-IP

    • Response Header Value: ip.src

    Example 2

    Add a response header to record the country code that corresponds to the client IP address.

    • Response Header Name: IP-Country-Code

    • Response Header Value: ip.geoip.country

    Example 2

    Add a response header to record the province code that corresponds to the client IP address.

    • Response Header Name: IP-Province-Code

    • Response Header Value: ip.src.subdivision_1_iso_code

    Response header parameters

    Response header parameter

    Description

    Example

    Custom

    You can add custom response headers. The custom response header name must meet the following requirements:

    • Consists of uppercase letters, lowercase letters, hyphens (-), and digits.

    • Is 1 to 100 characters in length.

    Test-Header

    Cache-Control

    Specifies the caching mechanism that the client program must follow for requests and responses.

    no-cache

    Content-Disposition

    Specifies the default file name when the client program saves the requested content as a file.

    examplefile.txt

    Content-Type

    Specifies the content type of the response object for the client program.

    text/plain

    Pragma

    Pragma is a general header defined in HTTP/1.0. This header is typically used in server responses to define the client's caching behavior for files.

    no-cache

    Access-Control-Allow-Origin

    Specifies which origins can access the resource. It is part of the cross-origin resource sharing (CORS, Cross-Origin Resource Sharing) mechanism, which allows a server to declare whether its resources can be accessed by a specified origin domain name. The value of this response header supports the following types:

    • Wildcard character *: Use a wildcard character to allow any origin to access the resource. This method is very loose and is suitable for public resources that can be accessed without authentication or authorization. However, use wildcard characters with caution in a production environment because they can pose security risks, such as cross-site request forgery attacks.

    • Single specified origin: You can specify a single origin domain name to allow only that origin to access the resource. For example, http://example.com or https://api.example.com. The request must come from the specified origin. Otherwise, it is rejected.

    • *

    • http://www.aliyun.com

    Access-Control-Allow-Methods

    Specifies the allowed methods for cross-origin requests. Separate multiple methods with a comma (,).

    POST,GET

    Access-Control-Allow-Headers

    Specifies the allowed fields for cross-origin requests.

    X-Custom-Header

    Access-Control-Expose-Headers

    Specifies the custom headers that are allowed to be accessed.

    Content-Length

    Access-Control-Allow-Credentials

    This response header indicates whether the response to the request can be exposed to the page.

    • true: The response can be exposed.

    • Other values: The response cannot be exposed.

    true

    Access-Control-Max-Age

    Specifies the cache duration, in seconds, for the preflight request result for a specific resource.

    600

    Note

    • The response header value can be set to *, which indicates any origin.

    • If the response header value is not *, you can configure one or more IP addresses, domain names, or a mix of both. Separate them with a comma (,).

    • If the response header value is not *, the value must include the protocol http:// or https://.

    • The response header value can include a port number.

    • The response header value supports wildcard domain names.

    References

    Rule-related features vary in execution priorityrule behavior, and configuration scope. For more information, see How ESA rules take effect.