All Products
Search
Document Center

CDN:Configure an HTTP response header

Last Updated:Dec 25, 2024

HTTP response headers are a component of the header section in response messages that are transmitted over HTTP. HTTP response headers deliver specific parameters to clients to manage caching. You can configure HTTP response headers and allow Alibaba Cloud CDN to return the configured response headers. This way, specific features, such as cross-origin resource sharing (CORS), can be implemented.

Background information

HTTP response headers can be used to manage caching of content that is transmitted over HTTP. When a client requests a resource, the point of presence (POP) returns HTTP response headers to the client, which allow the client and POPs to cache the response under specific conditions.

image
Note
  • The configuration of an HTTP response header applies to a domain name. After you configure an HTTP response header, the configuration of the response header takes effect for responses to all requests destined for your domain name.

  • An HTTP response header affects only the response behavior of clients, such as browsers. An HTTP response header does not affect the caching behavior of POPs.

Scenarios

  • Notify clients of the type of the resource that is returned. For example, you can add the Content-Type: text/html response header to inform clients that the returned file is in the HTML format.

  • Enable CORS. When a user requests resources on a domain name that is accelerated by Alibaba Cloud CDN, you can add the Access-Control-Allow-Origin header to the responses to enable CORS. For more information, see Configure CORS.

    In addition, Alibaba Cloud CDN allows you to enable authentication on cross-origin requests based on custom CORS rules to regulate access control for CORS.

  • Configure custom response behavior. You can add or modify custom headers to modify the content and format of response messages that are returned to clients based on your business requirements. This allows you to implement specific features or track responses.

Usage notes

If multiple rules are configured for the same header, the rules are executed from top to bottom in the configuration list. Examples:

  • Configuration 1: Add the cache-control: max-age=3600 response header.

  • Configuration 2: Add the cache-control: no-cache response header.

In the preceding combined configurations, Configuration 2 takes effect.

Procedure

  1. Log on to the Alibaba Cloud CDN console.

  2. In the left-side navigation pane, click Domain Names.

  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.

  4. In the left-side navigation tree of the domain name, click Cache.

  5. Click the POP HTTP Response Header tab.

  6. Click Customize.

    The following table lists the parameters that you need to configure.

    Parameter

    Description

    Operation

    You can add, delete, change, or replace specific response headers.

    Response Header

    Select a response header. For more information, see Response headers.

    Header Name

    If you set the Response Header parameter to Custom, you need to specify a header name based on the following rules:

    • The name can contain letters, underscores (-), and digits.

    • The name must be 1 to 100 characters in length.

    Header Value

    Specify the header value. For more information, see Response headers.

    Allow Duplicates

    • Yes: Duplicate headers are allowed. All duplicate headers that are added in the Alibaba Cloud CDN console and returned from the origin server are retained.

    • No: Duplicate headers are not allowed. The header that is added in the Alibaba Cloud CDN console overwrites the duplicate header that is returned from the origin server.

    CORS

    By default, CORS is disabled. You can configure CORS only if you set the Operation parameter to Add and the Response Header parameter to Access-Control-Allow-Origin.

    • Enable: After you enable CORS, POPs check the Origin header in user requests based on the CORS rules and specify a value for the Access-Control-Allow-Origin header.

    • Disable: After you disable CORS, POPs do not check the Origin header in user requests. In this case, POPs return the configured value of the Access-Control-Allow-Origin header.

    For more information, see CORS rules.

    Rule Condition

    Rule conditions can identify parameters in a request to determine whether a configuration applies to the request.

    • Do not use conditions

    • Select the configured rule conditions in Rules Engine. For more information, see Rules engine.

  7. Click OK.

    After you configure an HTTP response header, the HTTP response header is displayed on the POP HTTP Response Header tab. You can click Modify or Delete in the Actions column to modify or delete the header.

CORS rules

Important

The Allow Duplicates and CORS settings are mutually exclusive. If you set the Allow Duplicates parameter to Yes, the setting of CORS becomes invalid.

  • Wildcard pattern match: If you set the Access-Control-Allow-Origin header to an asterisk (*), Access-Control-Allow-Origin:* is returned regardless of whether user requests contain the Origin header or the value to which the Origin header is set.

  • Exact match: You can specify one or more values for the Access-Control-Allow-Origin header. Separate the values with commas (,).

    • If the value of the Origin header in a user request matches a value of the Access-Control-Allow-Origin header, the matched value of the Access-Control-Allow-Origin header is returned.

    • If the value of the Origin header in a user request does not match a value of Access-Control-Allow-Origin, the Access-Control-Allow-Origin header is not returned.

  • Wildcard domain name match: If you set the Access-Control-Allow-Origin header to a wildcard domain name, the value of the Origin header is matched against the wildcard domain name.

For more information, see Configure CORS.

Response headers

Response header

Description

Example

Custom

You can create a custom response header based on your business requirements. You need to specify the name of the response header based on the following rules:

  • The name can contain letters, underscores (-), and digits.

  • The name must be 1 to 100 characters in length.

Test-Header

Cache-Control

The cache rule that requests and responses follow.

no-cache

Content-Disposition

The default file name that is used when the retrieved content is saved as a file on the client.

examplefile.txt

Content-Type

The media type of the resource that is returned to clients.

text/plain

Pragma

Pragma is an HTTP/1.0 general-type header that is used to carry cache control directives in server responses.

no-cache

Access-Control-Allow-Origin

The origins with which the response can be shared. You can use an asterisk (*) as a wildcard character in the Header Value field to specify all domain names. You can also enter a specific domain name, such as http://www.aliyun.com.

Note
  • You can set this header to an asterisk (*), which matches all origins.

  • You can configure one or more IP addresses, domain names, or combinations of IP addresses and domain names. Separate multiple values with commas (,).

  • If you do not use an asterisk (*) as a wildcard character for this header, the value must start with http:// or https://.

  • Port numbers are supported.

  • Wildcard domain names are supported.

  • *

  • http://www.aliyun.com

  • https://aliyun.com:8080,http://10.10.10.10

  • http://*.aliyun.com

Access-Control-Allow-Methods

The request methods that you can use in cross-origin requests. You can specify one or more request methods. Separate request methods with commas (,).

POST,GET

Access-Control-Allow-Headers

The header fields that you can use in cross-origin requests.

X-Custom-Header

Access-Control-Expose-Headers

The headers that can be exposed as part of the response.

Content-Length

Access-Control-Allow-Credentials

Specifies whether browsers can expose responses to the frontend page.

  • true: Browsers can expose responses to the frontend page.

  • Other values: Browsers cannot expose responses to the frontend page.

true

Access-Control-Max-Age

The period during which the results of a preflight request can be cached. Unit: seconds.

600

FAQ