Configure origin HTTP response headers by using rules - Edge Security Acceleration

An HTTP response header is part of an HTTP response message and carries specific response parameters to pass to clients. If you configure an HTTP response header, the response message carries the HTTP header when an Edge Security Acceleration (ESA) point of presence (POP) returns the requested content to a client. This helps implement features such as cross-origin resource sharing (CORS).

Common scenarios

Inform clients of the type of content returned by ESA: For example, you can add the Content-Type: text/html response header to inform clients that content returned by ESA is in the HTML format.
Implement CORS: If a client requests resources on a website that is added to ESA, you can configure the Access-Control-Allow-Origin header in the response message sent by ESA to enable CORS.
Specify custom response behavior: You can add or modify custom headers to implement specific features or track responses. For example, you can adjust the response content and format returned to clients based on your business requirements.

Notes

If you create multiple response header modification rules, the rules are executed from top to bottom in the list. If multiple rules modify the same response header, the most recent rule overwrites rules created earlier. Take note that the execution results of rules may not meet your expectations. Example:

Rule 1: Add the cache-control: max-age=3600 response header.
Rule 2: Add the cache-control: no-cache response header.

If you have Rule 1 and Rule 2 at the same time, Rule 2 takes precedence over Rule 1. This means that the returned content is not cached.

Modify a response header

Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation pane, choose Rules > Transform Rules.
Click the Modify Response Header tab.

Click Create Rule. On the Create Response Header Modification Rule page, specify Rule Name, specify conditions that you want to use to match incoming requests, and configure a response header based on your business requirements.

Operation	Description	Example
Add	Adds a specific response header to the response message returned to clients.	To add a response header whose name is x-code and value is key1, perform the following steps: Enter x-code in the Response Header Name column. Enter key1 in the Response Header Value column.
Delete	Removes all response headers that match the value in the Response Header Value column from the response message returned to clients, regardless of how many such response headers exist.	To remove a response header whose name is x-code, enter x-code in the Response Header Name column.
Change	Changes the value of a response header.	To change the value of the x-code response header, perform the following steps: Enter x-code in the Response Header Name column. Enter key2 in the Response Header Value column.

Note

You cannot specify a response header name that starts with ali- or Ali-.
You can specify one or more values for a response header. Separate the values with commas (,).

Click OK.

Response headers

Response header	Description	Example
Custom	You can create a custom response header based on your business requirements. You need to specify the name of the response header based on the following rules: The name can contain letters, underscores (-), and digits. The name must be 1 to 100 characters in length.	Test-Header
Cache-Control	The cache rule that requests and responses follow.	no-cache
Content-Disposition	The default file name that is used when the retrieved content is saved as a file on the client.	examplefile.txt
Content-Type	The media type of the resource that is returned to clients.	text/plain
Pragma	Pragma is an HTTP/1.0 general-type header that is used to carry cache control directives in server responses.	no-cache
Access-Control-Allow-Origin	The origins with which the response can be shared. You can use an asterisk () as a wildcard character in the Header Value field to specify all domain names. You can also enter a specific domain name, such as `http://www.aliyun.com`. Note* You can set this header to an asterisk (), which matches all origins. You can configure one or more IP addresses, domain names, or combinations of IP addresses and domain names. Separate multiple values with commas (,). If you do not use an asterisk () as a wildcard character for this header, the value must start with http:// or https://. Port numbers are supported. Wildcard domain names are supported.	* http://www.aliyun.com https://aliyun.com:8080,http://10.10.10.10 http://*.aliyun.com
Access-Control-Allow-Methods	The request methods that you can use in cross-origin requests. You can specify one or more request methods. Separate request methods with commas (,).	POST,GET
Access-Control-Allow-Headers	The header fields that you can use in cross-origin requests.	X-Custom-Header
Access-Control-Expose-Headers	The headers that can be exposed as part of the response.	Content-Length
Access-Control-Allow-Credentials	Specifies whether browsers can expose responses to the frontend page. true: Browsers can expose responses to the frontend page. Other values: Browsers cannot expose responses to the frontend page.	true
Access-Control-Max-Age	The period during which the results of a preflight request can be cached. Unit: seconds.	600