You can configure a custom HTTP response header to add headers to responses for resources under an accelerated domain name. This enables features such as cross-origin resource sharing (CORS).
Background information
Cross-origin resource sharing (CORS) is a standard solution provided by HTML5. It enables web application servers to manage cross-origin access, which is crucial for secure data sharing across different domains.
When a client requests your resources, you can configure response headers to enable cross-origin access. When the CDN receives a cross-origin request, it reads the corresponding CORS rules and performs a permission check. The CDN evaluates each rule in order and applies the first matching rule to process the request and return the corresponding headers. If no rules match, no CORS-related headers are added.
HTTP response header configurations are applied at the domain name level. These configurations affect only the behavior of the client, such as a browser, and do not affect the caching behavior of CDN nodes. Custom HTTP response headers are not supported for wildcard domain names.
Procedure
-
Log in to the ApsaraVideo VOD console.
-
In the left-side navigation pane, choose Configuration Management > CDN Configuration > Domain Names.
-
Find the domain name that you want to configure and click Configure in the Actions column.
In the navigation pane on the left for the specified domain name, click Cache.
-
Click the Custom HTTP Response Headers tab.
-
Click Add to add a custom HTTP response header.
The following example shows how to add a custom HTTP response header.
Parameter
Description
Operation
You can add, delete, change, or replace a specified response header.
Response Header
Select Customize or a standard response header, such as Cache-Control, from the drop-down list. For more information, see Response header parameters.
Response Header Name
This parameter is required if you set Customize to Custom. The name must meet the following requirements:
-
Consists of uppercase letters, lowercase letters, hyphens (-), and digits.
-
Is 1 to 100 characters in length.
Response Header Value
Enter the value for the response header. For more information, see Response header parameters.
Allow Duplicates
-
Not Allowed: The CDN adds the new header without altering the original header from the origin server, even if they have the same name.
-
Allowed: The new header replaces the original header from the origin server if they have the same name.
-
-
Click OK to complete the configuration.
The new rule appears in the list. You can then click Modify or Delete in the Actions column to manage it.
Response header parameters
All response headers in the following table support HTTP/2, except for custom-defined headers.
|
Parameter |
Description |
Example |
|
Custom |
Allows you to add a custom response header. The header name must meet the following requirements:
|
Test-Header |
|
Cache-Control |
Specifies the caching mechanism that a client follows for requests and responses. |
no-cache |
|
Content-Disposition |
Specifies the default file name when a client saves the requested content as a file. |
examplefile.txt |
|
Content-Type |
Specifies the content type of the response object. Supported types include text, image, audio, video, and file. |
image |
|
Pragma |
An HTTP/1.0 response header used to implement specific directives. It can have various effects along the request-response chain and is used for compatibility with HTTP/1.1. |
no-cache |
|
Access-Control-Allow-Origin |
Specify the allowed origins for cross-origin requests. Enter an asterisk (*) to allow all domains. You can also enter a full domain name, for example, Note
|
|
|
Access-Control-Allow-Methods |
Specifies the allowed methods for cross-origin requests. You can specify multiple methods, separated by commas (,). |
POST,GET |
|
Access-Control-Allow-Headers |
Specifies the allowed header fields in cross-origin requests. |
X-Custom-Header |
|
Access-Control-Expose-Headers |
Specifies which headers can be exposed as part of the response. You can specify multiple headers, separated by commas (,). |
Content-Length |
|
Access-Control-Allow-Credentials |
Indicates whether a browser can expose the response to frontend JavaScript code when a request is made with credentials.
|
true |
|
Access-Control-Max-Age |
Specifies the duration, in seconds, for which the results of a preflight request can be cached. |
600 |