When an end user requests a business resource, you can add a custom header in the returned response message to implement cross-origin resource sharing.
The response header is configured at the domain name level. Once the configuration takes effect, it will be synced to the response message of each resource under the domain name. Response header configuration only makes changes to the client (browser) response but not to the CDN node cache.
Log in to the CDN console, select Domain Management on the left sidebar, and click Manage on the right of a domain name to enter its configuration page. Open the Advanced Configuration tab to see the Response Header Configuration section. It is disabled by default. You can click Add Rule to add response header rules.
|Set||Changes the value of a specified response header parameter.
If the target header does not exist, it will be added after the change.
If the header parameter already exists, all the duplicates will be changed and merged into one header. For example, after the rule "Set -
|Delete||Deletes a specified response header parameter.|
- Some headers cannot be set or deleted in a self-service manner. For the detailed list, please see Notes.
- Up to 10 response header rules can be configured.
- Rule priority can be adjusted. Rules lower on the list have higher priority. If a header parameter is configured with multiple rules, the bottom rule will take effect as rules are executed from bottom to top.
|Access-Control-Allow-Origin||Cross-origin permission-related header, which specifies the domain allowed to access resources. Up to 10 domains can be configured. If a source request host is configured as a header parameter value, it will be filled in to the response header. You can also set it as `*` to allow all domains to access resources. For more information, please see Access-Control-Allow-Origin Match Mode Description.
The wildcard `*`, domain names, and IPs are supported. `http://` or `https://` must be contained. Please separate multiple ones with `,`, and up to 66 entries are supported. E.g., `http://test.com,http://220.127.116.11`.
|Access-Control-Allow-Methods||Specifies the cross-origin HTTP request method and supports multiple methods at the same time:
|Access-Control-Max-Age||Specifies the validity period (in seconds) of a preflight request.
For a non-simple cross-origin request, an HTTP query request, namely the preflight request, is needed before the official communication to check whether the cross-origin request is secure to be accepted. A cross-origin request is non-simple if it is:
Not a GET, HEAD, or POST request, or it is a POST request but its request data type is `application/xml`, `text/xml`, or any other data type except `application/x-www-form-urlencoded`, `multipart/form-data`, and `text/plain`.
For example, if a custom request header is `Access-Control-Max-Age:1728000`, it indicates that there will not be another preflight request sent for the cross-origin resource sharing within 1,728,000 seconds (20 days).
|Access-Control-Expose-Headers||Specifies which headers can be exposed to clients as a part of responses.
By default, these 6 headers can be exposed to clients: `Cache-Control`, `Content-Language`, `Content-Type`, `Expires`, `Last-Modified`, and `Pragma`.
If you want to make other headers accessible to clients, you can separate multiple headers with `,`, e.g., `Access-Control-Expose-Headers: Content-Length,X-My-Header`. In this way, clients can access the two headers `Content-Length` and `X-My-Header`.
|Content-Disposition||Activates download in the browser and sets the default filename of the downloaded resource.
When a server sends a file to a client browser, if the file type is supported by the browser, such as TXT and JPG, the file will be directly opened in the browser by default. If you want the user to save the file, you can configure the `Content-Disposition` field to override the browser's default behavior. The common configuration is as follows:
|Content-Language||Specifies the language code used on the page. The common configuration is as follows:
|Custom||Supports custom header and key-value pair settings.
Requirements on custom header parameters: consisting of 1 to 100 characters of uppercase and lowercase letters, digits, and hyphens (-).
Requirements on custom header values: consisting of 1 to 1000 characters; Chinese characters are not supported.
|Match Mode||Origin Value||Description|
|Full match||*||If it is set to
|Second-level wildcard domain name match||
If there are special ports, you need to enter the relevant information in the list. Arbitrary port match is not supported, and you must specify the ports.
The headers below are not supported and will not take effect even if configured:
Date Expires Content-Type Content-Encoding Content-Length Transfer-Encoding Cache-Control If-Modified-Since Last-Modified Connection Content-Range ETag Accept-Ranges Age Authentication-Info Proxy-Authenticate Retry-After Set-Cookie Vary WWW-Authenticate Content-Location Content-MD5 Content-Range Meter Allow Error