HTTP Response Header

Last updated: 2021-05-18 11:57:47

    Configuration Overview

    When an end user requests a business resource, you can add a custom header in the returned response message to implement cross-origin resource sharing.
    The response header is configured at the domain name level. Once the configuration takes effect, it will be synced to the response message of each resource under the domain name. Response header configuration only makes changes to the client (browser) response but not to the CDN node cache.

    Configuration Guide

    Viewing the configuration

    Log in to the CDN console, select Domain Management on the left sidebar, and click Manage on the right of a domain name to enter its configuration page. Open the Advanced Configuration tab to see the Response Header Configuration section. It is disabled by default. You can click Add Rule to add response header rules.


    Operation Description
    Set Changes the value of a specified response header parameter.
    If the target header does not exist, it will be added after the change.
    If the header parameter already exists, all the duplicates will be changed and merged into one header. For example, after the rule "Set - x-cdn: value1" is configured, if a request contains multiple x-cdn headers, the headers will be changed and merged into one header x-cdn: value1.
    Delete Deletes a specified response header parameter.

    • Some headers cannot be set or deleted in a self-service manner. For the detailed list, please see Notes.
    • Up to 10 response header rules can be configured.
    • Rule priority can be adjusted. Rules lower on the list have higher priority. If a header parameter is configured with multiple rules, the bottom rule will take effect as rules are executed from bottom to top.

    Header parameter

    Header Parameter Description
    Access-Control-Allow-Origin Cross-origin permission-related header, which specifies the domain allowed to access resources. Up to 10 domains can be configured. If a source request host is configured as a header parameter value, it will be filled in to the response header. You can also set it as `*` to allow all domains to access resources. For more information, please see Access-Control-Allow-Origin Match Mode Description.
    The wildcard `*`, domain names, and IPs are supported. `http://` or `https://` must be contained. Please separate multiple ones with `,`, and up to 66 entries are supported. E.g., `,`.
    Access-Control-Allow-Methods Specifies the cross-origin HTTP request method and supports multiple methods at the same time:
    `Access-Control-Allow-Methods: POST, GET, OPTIONS`.
    Access-Control-Max-Age Specifies the validity period (in seconds) of a preflight request.
    For a non-simple cross-origin request, an HTTP query request, namely the preflight request, is needed before the official communication to check whether the cross-origin request is secure to be accepted. A cross-origin request is non-simple if it is:
    Not a GET, HEAD, or POST request, or it is a POST request but its request data type is `application/xml`, `text/xml`, or any other data type except `application/x-www-form-urlencoded`, `multipart/form-data`, and `text/plain`.
    For example, if a custom request header is `Access-Control-Max-Age:1728000`, it indicates that there will not be another preflight request sent for the cross-origin resource sharing within 1,728,000 seconds (20 days).
    Access-Control-Expose-Headers Specifies which headers can be exposed to clients as a part of responses.
    By default, these 6 headers can be exposed to clients: `Cache-Control`, `Content-Language`, `Content-Type`, `Expires`, `Last-Modified`, and `Pragma`.
    If you want to make other headers accessible to clients, you can separate multiple headers with `,`, e.g., `Access-Control-Expose-Headers: Content-Length,X-My-Header`. In this way, clients can access the two headers `Content-Length` and `X-My-Header`.
    Content-Disposition Activates download in the browser and sets the default filename of the downloaded resource.
    When a server sends a file to a client browser, if the file type is supported by the browser, such as TXT and JPG, the file will be directly opened in the browser by default. If you want the user to save the file, you can configure the `Content-Disposition` field to override the browser's default behavior. The common configuration is as follows:
    Content-Language Specifies the language code used on the page. The common configuration is as follows:
    `Content-Language: zh-CN`
    `Content-Language: en-US`
    Custom Supports custom header and key-value pair settings.
    Requirements on custom header parameters: consisting of 1 to 100 characters of uppercase and lowercase letters, digits, and hyphens (-).
    Requirements on custom header values: consisting of 1 to 1000 characters; Chinese characters are not supported.

    Access-Control-Allow-Origin match mode introduction

    Match Mode Origin Value Description
    Full match * If it is set to *, the header Access-Control-Allow-Origin:* will be added to the response.
    Fixed match The source hits the list, so the header Access-Control-Allow-Origin: will be added to the response. The source does not hit the list, so the response will not change.
    Second-level wildcard domain name match http://* The source hits the list, so the header Access-Control-Allow-Origin: will be added to the response. The source does not hit the list, so the response will not change.
    Port match The source hits the list, so the header Access-Control-Allow-Origin: will be added to the response. The source does not hit the list, so the response will not change.

    If there are special ports, you need to enter the relevant information in the list. Arbitrary port match is not supported, and you must specify the ports.


    The headers below are not supported and will not take effect even if configured: