If you want to request resources that belong to an accelerated domain name, you can add a custom HTTP response header to responses returned from your origin servers. This way, you can perform cross-origin resource sharing (CORS). This topic describes how to configure a custom HTTP response header.

Background information

CORS is a standard cross-origin solution that is provided by HTML 5 to allow web application servers to manage cross-origin access. This solution ensures that data transmission is secure.

To perform CORS, you can add response headers to responses. After Alibaba Cloud CDN receives a cross-origin request, CORS rules are triggered to check the permissions. Alibaba Cloud CDN checks whether each cross-origin request meets the CORS rules. Then, Alibaba Cloud CDN uses the first rule that matches the request to process the request and adds a header to the response. If the request fails to match the CORS rules, no header is added to the response.

The configuration of an HTTP response header applies to a domain name. After you configure an HTTP response header, the configuration of this response header takes effect for all responses returned from the domain name. An HTTP response header affects only the response behavior of clients, such as browsers. An HTTP response header does not affect the caching behavior of CDN nodes. You cannot configure a custom HTTP response header for wildcard domain names.

Procedure

  1. Log on to the ApsaraVideo VOD console.
  2. In the left-side navigation pane of the ApsaraVideo VOD console, choose Configuration Management > CDN Configuration > Domain Names to go to the Domain Names page.
  3. On the Domain Names page, select the domain name that you want to configure, and click Configure in the Actions column.
  4. In the left-side navigation pane of the specified domain, click Cache.
  5. Click the Custom HTTP Response Headers tab.
  6. Click Add and configure the parameters described in the following table.
    In the following example, a custom HTTP response header is configured. Custom HTTP response headers
    Parameter Description
    Operation You can add, delete, change, or replace a response header.
    Response Header Select Custom or a standard response header, such as Cache-Control, from the drop-down list. For more information, see Response headers.
    Response Header Name If you select Custom for the Response Header parameter, you must specify a name for the response header. The name of the response header must be specified based on the following rules:
    • The name must contain letters, digits, and hyphens (-).
    • The name must be 1 to 100 characters in length.
    Response Header Value Specify a value for the response header. For more information, see Response headers.
    Allow Duplicates
    • Allowed: Retains the header that is returned from the origin server and the header that you add whose name is the same.
    • Not Allowed: The header that you add whose name is the same overwrites the header that is returned from the origin server.
  7. Click OK.

    After you add a custom HTTP response header, you can Modify or Delete the header in the Actions column.

Response headers

Note Custom response headers do not support HTTP/2.
Response header Description Example
Custom Allows you to add a custom response header based on your business requirements. The name of the response header must be specified based on the following rules:
  • The name must contain letters, digits, and hyphens (-).
  • The name must be 1 to 100 characters in length.
Test-Header
Cache-Control Specifies the cache policy that the client uses for requests and responses. no-cache
Content-Disposition Specifies the default file name if the retrieved content is saved as a file on the client. examplefile.txt
Content-Type Specifies the type of the content that is returned to the clients, such as text, image, audio, video, or file. image
Pragma The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. Pragma HTTP/1.0 is compatible with HTTP/1.1. no-cache
Access-Control-Allow-Origin Specifies a list of origins that are allowed to make cross-origin requests. If you want to specify all domain names, you can set the Response Header Value field to a wildcard character, such as the asterisk (*). You can also enter a domain name, for example, http://example.aliyundoc.com.
Note
  • If you want to specify all domain names, you can set the Response Header Value field to a wildcard character, such as the asterisk (*).
  • You can also configure one or more IP addresses, domain names, or combinations of IP addresses and domain names. Separate multiple IP addresses, domain names, or combinations of IP addresses and domain names with commas (,).
  • If you do not set the Response Header Value field to a wildcard character such as the asterisk (*), you must include http:// or https:// in the header.
  • Port numbers are supported for the Response Header Value field.
  • Wildcard domain names are supported for the Response Header Value field.
  • *
  • http://example.aliyundoc.com
Access-Control-Allow-Methods Specifies the request methods that you can use in cross-origin requests. You can specify multiple request methods. Separate multiple request methods with commas (,). POST,GET
Access-Control-Allow-Headers Specifies the header fields that you can use in cross-origin requests. X-Custom-Header
Access-Control-Expose-Headers Specifies the headers that can be exposed as part of the response. You can specify multiple headers. Separate multiple headers with commas (,). Content-Length
Access-Control-Allow-Credentials Specifies whether browsers can expose responses to the frontend page.
  • true: Browsers can expose responses to the frontend page.
  • Other values: Browsers cannot expose responses to the frontend page.
true
Access-Control-Max-Age Specifies how long the results of a preflight request can be cached, in seconds. 600