Advanced Configuration¶
Custom Response Header Configuration¶
Configuration Scenario¶
When users request business resources, you can add configured headers to the response messages to achieve purposes such as cross-origin access.
Since HTTP Header configurations are domain-specific, once configured, the specified headers will be included in the response messages for any resource under that domain. Configuring HTTP Headers only affects the response behavior of clients (e.g., browsers) and does not impact the caching behavior of CDN nodes.
Configuration Guide¶
View Configuration¶
Log in to the Cloud Protection console, navigate to Domain Management in the menu bar, click Manage next to the domain name to enter the domain configuration page. Under Advanced Configuration, you can find the HTTP Header configuration. By default, this configuration is disabled:
Modify Configuration¶
- Modify Configuration
Toggle the switch to add HTTP Header settings. Currently, the following header configurations are supported or custom headers can be added:
- Access-Control-Allow-Origin: Specifies the allowed origins for cross-origin requests.
- Access-Control-Allow-Methods: Specifies the allowed HTTP methods for cross-origin requests.
- Access-Control-Max-Age: Specifies the cache duration for preflight request results of cross-origin requests.
- Access-Control-Expose-Headers: Specifies the headers exposed to clients in cross-origin requests.
- Content-Disposition: Activates client-side resource downloads and sets the default filename.
- Content-Language: Defines the language code used by the page.
- Custom: Custom headers.
General Configuration: Content-Disposition
Content-Disposition activates browser downloads and sets the default filename. When the server sends a file to the client browser, if the file type is supported by the browser (e.g., TXT, JPG), it will open directly. To prompt the user to save the file, configure the Content-Disposition field to override the default browser behavior. Common configurations include:
General Configuration: Content-Language
Content-Language defines the language code used by the page. Common configurations include:
Cross-Origin Configuration: Access-Control-Allow-Origin
Cross-origin occurs when a resource under one domain (e.g., www.abc.com) requests a resource under another domain (e.g., www.def.com). Differences in protocol or port also trigger cross-origin requests. Cross-origin-related headers must be added to the Response Header for successful data retrieval.
Feature Description:
Access-Control-Allow-Origin resolves cross-origin permissions. The domain value specifies the allowed origins, supporting up to 10 domains. If the requesting Host matches a configured domain, the corresponding value is added to the response header. A wildcard * can also be set to allow requests from all domains.
Matching Patterns
| Domain Value | Description | Matching Pattern |
|---|---|---|
| Wildcard | * | When set to *, the response header includes: Access-Control-Allow-Origin: * |
| Exact Match | http://cloud.test.comhttps://cloud.test.comhttp://www.b.com | Request from https://cloud.test.com matches the list, and the response header includes: Access-Control-Allow-Origin: https://cloud.test.comRequest from https://www.qq.com does not match, and the response remains unchanged. |
| Subdomain Wildcard | http://*.test.com | Request from https://cloud.test.com matches the list, and the response header includes: Access-Control-Allow-Origin: https://cloud.test.comRequest from https://cloud.qq.com does not match, and the response remains unchanged. |
| Port Match | https://cloud.test.com:8080 | Request from https://cloud.test.com:8080 matches the list, and the response header includes: Access-Control-Allow-Origin: https://cloud.test.com:8080Request from https://cloud.test.com does not match, and the response remains unchanged. |
Note:
For special ports, the port must be explicitly specified in the list. Wildcard port matching is not supported.
Cross-Origin Configuration: Access-Control-Allow-Methods
Access-Control-Allow-Methods specifies the allowed HTTP methods for cross-origin requests. Multiple methods can be set simultaneously, e.g.: Access-Control-Allow-Methods: POST, GET, OPTIONS
Cross-Origin Configuration: Access-Control-Max-Age
Access-Control-Max-Age specifies the validity period of preflight requests.
Non-simple cross-origin requests require an additional HTTP query (preflight request) to determine if the request is safe. The following requests are considered non-simple:
- Methods other than GET, HEAD, or POST, or POST requests with data types other than
application/x-www-form-urlencoded,multipart/form-data, ortext/plain(e.g.,application/xmlortext/xml). - Requests with custom headers.
Access-Control-Max-Age is measured in seconds. Example: Access-Control-Max-Age: 1728000
This indicates that within 1,728,000 seconds (20 days), no additional preflight requests will be sent for cross-origin access to this resource.
Cross-Origin Configuration: Access-Control-Expose-Headers
Access-Control-Expose-Headers specifies which headers can be exposed to clients. By default, only 6 headers are exposed:
- Cache-Control
- Content-Language
- Content-Type
- Expires
- Last-Modified
- Pragma
To expose additional headers, configure as follows (separate multiple headers with commas): Access-Control-Expose-Headers: Content-Length, X-My-Header
This allows clients to access the Content-Length and X-My-Header headers.
Custom Headers
Custom key-value headers can be added:
The following headers cannot be added: Date Expires Content-Type Content-Encoding Content-Length Transfer-Encoding Cache-Control If-Modified-Since Last-Modified Connection Content-Range ETag Accept-Ranges Age Authentication-Info Proxy-Authenticate Retry-After Set-Cookie Vary WWW-Authenticate Content-Location Content-MD5 Content-Range Meter Allow Error
For duplicate headers, the bottom configuration takes precedence over the top one, directly overriding it.
- Disable Configuration
You can disable the configuration via the HTTP Header toggle. When the toggle is off, existing configurations below will not take effect.