If you want to request resources that belong to an accelerated domain name, you can add a custom HTTP response header to responses returned from your origin servers. This way, you can perform cross-origin resource sharing (CORS). This topic describes how to configure a custom HTTP response header.
Background information
CORS is a standard cross-origin solution that is provided by HTML 5 to allow web application servers to manage cross-origin access. This solution ensures that data transmission is secure.
To perform CORS, you can add response headers to responses. After Alibaba Cloud CDN receives a cross-origin request, CORS rules are triggered to check the permissions. Alibaba Cloud CDN checks whether each cross-origin request meets the CORS rules. Then, Alibaba Cloud CDN uses the first rule that matches the request to process the request and adds a header to the response. If the request fails to match the CORS rules, no header is added to the response.
The configuration of an HTTP response header applies to a domain name. After you configure an HTTP response header, the configuration of this response header takes effect for all responses returned from the domain name. An HTTP response header affects only the response behavior of clients, such as browsers. An HTTP response header does not affect the caching behavior of CDN nodes. You cannot configure a custom HTTP response header for wildcard domain names.
Procedure
Response headers
Response header | Description | Example |
---|---|---|
Custom | Allows you to add a custom response header based on your business requirements. The
name of the response header must be specified based on the following rules:
|
Test-Header |
Cache-Control | Specifies the cache policy that the client uses for requests and responses. | no-cache |
Content-Disposition | Specifies the default file name if the retrieved content is saved as a file on the client. | examplefile.txt |
Content-Type | Specifies the type of the content that is returned to the clients, such as text, image, audio, video, or file. | image |
Pragma | The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. Pragma HTTP/1.0 is compatible with HTTP/1.1. | no-cache |
Access-Control-Allow-Origin | Specifies a list of origins that are allowed to make cross-origin requests. If you
want to specify all domain names, you can set the Response Header Value field to a
wildcard character, such as the asterisk (*). You can also enter a domain name, for
example, http://example.aliyundoc.com .
Note
|
|
Access-Control-Allow-Methods | Specifies the request methods that you can use in cross-origin requests. You can specify multiple request methods. Separate multiple request methods with commas (,). | POST,GET |
Access-Control-Allow-Headers | Specifies the header fields that you can use in cross-origin requests. | X-Custom-Header |
Access-Control-Expose-Headers | Specifies the headers that can be exposed as part of the response. You can specify multiple headers. Separate multiple headers with commas (,). | Content-Length |
Access-Control-Allow-Credentials | Specifies whether browsers can expose responses to the frontend page.
|
true |
Access-Control-Max-Age | Specifies how long the results of a preflight request can be cached, in seconds. | 600 |