- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Configuration Guide
- Permission Management
- Use Cases
- Best Practice
- API Documentation
- FAQ
- Troubleshooting Methods
- CDN Service Level Agreement
- Glossary
- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Configuration Guide
- Permission Management
- Use Cases
- Best Practice
- API Documentation
- FAQ
- Troubleshooting Methods
- CDN Service Level Agreement
- Glossary
Configuration Overview
When an end user requests a business resource, you can add a custom header in the returned response message to implement cross-origin resource sharing.
Response header configuration is of the domain name dimension, therefore, once the configuration takes effect, it will be synced to the response message of each resource under the domain name. Response header configuration only makes changes to the client (browser) response but not to the CDN node cache.
Directions
Viewing the configuration
Log in to the CDN Console, select Domain Management on the left sidebar, and click Manage on the right of a domain name to enter its configuration page. Open the Advanced Configuration tab to find the Response Header Configuration setting, which is disabled by default. You can click Add Rule to add HTTP response header rules.
Operation type
| Operation | Description |
|---|---|
| Set | Changes the value of a specified response header parameter. If the target header does not exist, it will be added after the change operation. If the header parameter already exists, all the duplicates will be changed and merged into one header. For example, after the rule "Set - x-cdn: value1" is configured, if a request contains multiple x-cdn headers, the headers will be changed and merged into one header x-cdn: value1. |
| Delete | Deletes a specified response header parameter. |
Note:
- Some headers cannot be set or deleted in a self-service manner. For the detailed list, see Notes.
- Up to 10 HTTP response header rules can be configured.
- Rule priority can be adjusted. Rules at the bottom of the list have higher priority. If a header parameter is configured with multiple rules, the bottom rule will take effect as rules are executed from bottom to top.
Header parameter
| Header Parameter | Description |
|---|---|
| Access-Control-Allow-Origin | Cross-origin resource sharing (CORS) header, which specifies the domain allowed to access resources. If a source request host is configured as a header parameter value, it will be filled in to the response header. You can also set it as * to allow all domains to access resources. For more information, see Access-Control-Allow-Origin Match Mode Description.The wildcard *, domain names, and IPs are supported. http:// or https:// must be contained. Please separate multiple ones with ,, and up to 1000 characters are supported. E.g., http://test.com,http://1.1.1.1. |
| Access-Control-Allow-Methods | Specifies the CORS HTTP request method and supports multiple methods at the same time: Access-Control-Allow-Methods: POST, GET, OPTIONS. |
| Access-Control-Max-Age | Specifies the validity period (in seconds) of a preflight request. For a non-simple CORS request, an HTTP query request, namely the preflight request, is needed before the official communication to check whether the CORS request is secure to be accepted. A CORS request is non-simple if it is: Not a GET, HEAD, or POST request, or it is a POST request but its request data type is application/xml, text/xml or any other data type except application/x-www-form-urlencoded, multipart/form-data, and text/plain.For example, if a custom request header is Access-Control-Max-Age:1728000, there will not be another CORS preflight request sent within 1,728,000 seconds (20 days). |
| Access-Control-Expose-Headers | Specifies which headers can be exposed to clients as a part of responses. By default, these 6 headers can be exposed to clients: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma.If you want to make other headers accessible to clients, you can separate multiple headers with ,, e.g., Access-Control-Expose-Headers: Content-Length,X-My-Header. In this way, clients can access the two headers Content-Length and X-My-Header. |
| Content-Disposition | Activates download in the browser and sets the default filename of the downloaded resource. When a server sends files to a client browser, with the file types such as TXT and JPG supported by the browser, the files will be directly opened in the browser by default. If you want the user to save the files, you can configure the Content-Disposition field to override the browser's default behavior. The common configuration is as follows:Content-Disposition:attachment;filename=FileName.txt |
| Content-Language | Specifies the language code used on the page. The common configuration is as follows:Content-Language: zh-CNContent-Language: en-US |
| Custom | Supports custom header and key-value pair settings. A custom header parameter supports 1-100 characters of uppercase and lowercase letters, digits, and hyphens (-). The parameter value supports 1-1000 characters excluding Chinese characters. |
Access-Control-Allow-Origin match mode introduction
| Match Mode | Origin Value | Description |
|---|---|---|
| Full match | * | If it is set to *, the header Access-Control-Allow-Origin:* will be added to the response. |
| Fixed match | http://cloud.tencent.com https://cloud.tencent.com http://www.b.com |
The source https://cloud.tencent.com hits the list, so the header Access-Control-Allow-Origin: https://cloud.tencent.com will be added to the response. The source https://www.qq.com does not hit the list, so the response will not change. |
| Second-level wildcard domain name match | https://*.tencent.com |
The source https://cloud.tencent.com hits the list, so the header Access-Control-Allow-Origin: https://cloud.tencent.com will be added to the response. The source https://cloud.qq.com does not hit the list, so the response will not change. |
| Port match | https://cloud.tencent.com:8080 |
The source https://cloud.tencent.com:8080 hits the list, so the header Access-Control-Allow-Origin:https://cloud.tencent.com:8080 will be added to the response. The source https://cloud.tencent.com does not hit the list, so the response will not change. |
Note:If there are special ports, you need to enter the relevant information in the list. You must specify the port as arbitrary port match is not supported.
Notes
The headers below are not supported and will not take effect if configured:
Date
Expires
Content-Type
Content-Encoding
Content-Length
Transfer-Encoding
Cache-Control
If-Modified-Since
Last-Modified
Connection
Content-Range
ETag
Accept-Ranges
Age
Authentication-Info
Proxy-Authenticate
Retry-After
Set-Cookie
Vary
WWW-Authenticate
Content-Location
Content-MD5
Content-Range
Meter
Allow
Error
Yes
No
Was this page helpful?