Configure HTTP Header

Last updated: 2020-01-13 16:44:57



Generally, there are two types of HTTP messages:

  • Request message sent from client to server
  • Response message sent from server to client

Both types of the messages consist of a start line, one or more header fields, a blank line indicating the end of header field, and a message body (optional). There are four types of HTTP header fields: general header, request header, response header and entity header. Each header field consists of a name (Key), colon (:) and a Value.

Tencent Cloud DSA provides HTTP Header Configuration which allows such features as cross-domain access by adding configured header field in the returned response message when your user requests for service resource.


  • HTTP Header configuration is specific to a domain name. Once the configuration takes effect, the configured header field will be added to user's response messages to any of the resources under this domain name;
  • Configuring HTTP Header will only affect the response behaviors of the client (such as browser), and will not affect caching behaviors of DSA nodes;

Configuration Instructions

DSA provides the following six header field configurations:

  • Content-Disposition: Enable customized resource downloading configuration and default file name upon downloading;
  • Content-Language: Specify resource response language at the client (such as browser);
  • Access-Control-Allow-Origin: Specify the request origins allowed to access the resource for a cross-domain request;
  • Access-Control-Allow-Methods: Specify the request methods allowed for a cross-domain request;
  • Access-Control-Max-Age: Specify the maximum time span during which the returned result of pre-request for a particular resource is cached for a cross-domain request;
  • Access-Control-Expose-Headers: Specify the header information allowed for access for a cross-domain request;

General Configurations


Content-Disposition is used to enable the downloading of browser and set the default name for the downloaded file. If the type of the file sent from server to client browser is supported by the browser (such as txt, jpg), the file will be directly opened in the browser by default. If you want the user to be prompted to save the file, you can configure Content-Disposition field to override browser's default behavior. Common configurations are shown below:

Content-Disposition: attachment;filename=FileName.txt


Content-Language is used to define the language code used in the page. Common configurations are shown below:

Content-Language: zh-CN
Content-Language: en-US

Cross-domain Configurations

Cross-domain means that the resource from one domain name (for example, makes a request for a resource under another domain name (for example, Since the resources belong to different domain names, this is considered cross-domain. Moreover, different protocols or different ports will also cause cross-domain access. When this happens, cross-domain related configurations need to be added in the Response Header, so that the resource making the request can get the data it wants.


Access-Control-Allow-Origin is used to solve cross-domain permission issues for resources. The field value defines which domain names are allowed to reference this resource. You can also set wildcard "*" to allow all domain names to reference the resource. Common configurations are shown below:



  • Wildcard domain names are not supported (such as *
  • Either use "*" or specify a URI
  • Please add http:// or https:// as prefix when configure specified domain name;


You can configure multiple allowed cross-domain request methods using Access-Control-Allow-Methods:

Access-Control-Allow-Methods: POST, GET, OPTIONS


Access-Control-Max-Age specifies the valid time of pre-request.

For non-simple cross-domain requests, an additional HTTPS query request ("pre-request") is needed before the formal communication to check whether the cross-domain request is secure and acceptable. In any of the following situations, the request will be considered as a pre-request:

  • The request is initiated using a method other than GET, HEAD or POST or it is initiated using POST with a data type other than application/x-www-form-urlencoded, multipart/form-data and text/plain, such as application/xml or text/xml;
  • A custom request header is used.

Access-Control-Max-Age is measured in second. Here is a configuration example:

Access-Control-Max-Age: 1728000

This indicates no more pre-request will be sent for the cross-domain access to this resource within 1,728,000 seconds (20 days).


Access-Control-Expose-Headers specifies the header information allowed for access for a cross-domain request;

For a cross-domain access request, the method for obtaining response header by the request object can only be used to obtain basic fields. If other fields are required, you need to specify accordingly in Access-Control-Expose-Headers. Here is a configuration example:

Access-Control-Expose-Headers: Content-Length, QCloud-DSA-MyCustom-HeaderY

So, the server allows two fields to be contained in the request: Content-Length and QCloud-DSA-MyCustom-HeaderY.

Configuration Process

Log in to DSA Console and go to "Domain Name Management" page. Then click Manage button to the right of the domain name to enter the management page:

Go to "Advanced Configuration" and find "HTTP header Configuration", then click "Add HTTP header":

Select the header to be added and complete the configuration for it. You can add multiple headers at a time, but the same header can only be added once:

Click OK to complete configuration. It takes about 5 minutes for the configuration to take effect:

You can also modify or delete existing headers.