Configure custom HTTP response headers

更新时间:
复制 MD 格式

You can configure a custom HTTP response header to add headers to responses for resources under an accelerated domain name. This enables features such as cross-origin resource sharing (CORS).

Background information

Cross-origin resource sharing (CORS) is a standard solution provided by HTML5. It enables web application servers to manage cross-origin access, which is crucial for secure data sharing across different domains.

When a client requests your resources, you can configure response headers to enable cross-origin access. When the CDN receives a cross-origin request, it reads the corresponding CORS rules and performs a permission check. The CDN evaluates each rule in order and applies the first matching rule to process the request and return the corresponding headers. If no rules match, no CORS-related headers are added.

HTTP response header configurations are applied at the domain name level. These configurations affect only the behavior of the client, such as a browser, and do not affect the caching behavior of CDN nodes. Custom HTTP response headers are not supported for wildcard domain names.

Procedure

  1. Log in to the ApsaraVideo VOD console.

  2. In the left-side navigation pane, choose Configuration Management > CDN Configuration > Domain Names.

  3. Find the domain name that you want to configure and click Configure in the Actions column.

  4. In the navigation pane on the left for the specified domain name, click Cache.

  5. Click the Custom HTTP Response Headers tab.

  6. Click Add to add a custom HTTP response header.

    The following example shows how to add a custom HTTP response header.

    Parameter

    Description

    Operation

    You can add, delete, change, or replace a specified response header.

    Response Header

    Select Customize or a standard response header, such as Cache-Control, from the drop-down list. For more information, see Response header parameters.

    Response Header Name

    This parameter is required if you set Customize to Custom. The name must meet the following requirements:

    • Consists of uppercase letters, lowercase letters, hyphens (-), and digits.

    • Is 1 to 100 characters in length.

    Response Header Value

    Enter the value for the response header. For more information, see Response header parameters.

    Allow Duplicates

    • Not Allowed: The CDN adds the new header without altering the original header from the origin server, even if they have the same name.

    • Allowed: The new header replaces the original header from the origin server if they have the same name.

  7. Click OK to complete the configuration.

    The new rule appears in the list. You can then click Modify or Delete in the Actions column to manage it.

Response header parameters

Note

All response headers in the following table support HTTP/2, except for custom-defined headers.

Parameter

Description

Example

Custom

Allows you to add a custom response header. The header name must meet the following requirements:

  • Consists of uppercase letters, lowercase letters, hyphens (-), and digits.

  • Is 1 to 100 characters in length.

Test-Header

Cache-Control

Specifies the caching mechanism that a client follows for requests and responses.

no-cache

Content-Disposition

Specifies the default file name when a client saves the requested content as a file.

examplefile.txt

Content-Type

Specifies the content type of the response object. Supported types include text, image, audio, video, and file.

image

Pragma

An HTTP/1.0 response header used to implement specific directives. It can have various effects along the request-response chain and is used for compatibility with HTTP/1.1.

no-cache

Access-Control-Allow-Origin

Specify the allowed origins for cross-origin requests. Enter an asterisk (*) to allow all domains. You can also enter a full domain name, for example, http://example.aliyundoc.com.

Note
  • You can set the value to an asterisk (*) to allow requests from any origin.

  • If you do not set the value to an asterisk (*), you can specify one or more IP addresses, domain names, or a mix of both. Separate multiple values with commas (,).

  • If you do not set the value to an asterisk (*), the value must include the http:// or https:// protocol prefix.

  • The value can include a port number.

  • Wildcard domain names are supported.

  • *

  • http://example.aliyundoc.com

Access-Control-Allow-Methods

Specifies the allowed methods for cross-origin requests. You can specify multiple methods, separated by commas (,).

POST,GET

Access-Control-Allow-Headers

Specifies the allowed header fields in cross-origin requests.

X-Custom-Header

Access-Control-Expose-Headers

Specifies which headers can be exposed as part of the response. You can specify multiple headers, separated by commas (,).

Content-Length

Access-Control-Allow-Credentials

Indicates whether a browser can expose the response to frontend JavaScript code when a request is made with credentials.

  • true: Allows the browser to expose the response.

  • Other values or omitted: The browser does not expose the response.

true

Access-Control-Max-Age

Specifies the duration, in seconds, for which the results of a preflight request can be cached.

600