When an end user requests a business resource, you can add a custom header in the returned response message to implement cross-origin resource sharing.
Response header configuration is of the domain name dimension, therefore, once the configuration takes effect, it will be synced to the response message of each resource under the domain name. Response header configuration only makes changes to the client (browser) response but not to the CDN node cache.
Directions
Viewing the configuration
Log in to the CDN Console, select Domain Management on the left sidebar, and click Manage on the right of a domain name to enter its configuration page. Open the Advanced Configuration tab to find the Response Header Configuration setting, which is disabled by default. You can click Add Rule to add HTTP response header rules.
Operation type
Operation
Description
Set
Changes the value of a specified response header parameter.
If the target header does not exist, it will be added after the change operation.
If the header parameter already exists, all the duplicates will be changed and merged into one header. For example, after the rule "Set - x-cdn: value1" is configured, if a request contains multiple x-cdn headers, the headers will be changed and merged into one header x-cdn: value1.
Delete
Deletes a specified response header parameter.
Note:
Some headers cannot be set or deleted in a self-service manner. For the detailed list, see Notes.
Up to 10 HTTP response header rules can be configured.
Rule priority can be adjusted. Rules at the bottom of the list have higher priority. If a header parameter is configured with multiple rules, the bottom rule will take effect as rules are executed from bottom to top.
Header parameter
Header Parameter
Description
Access-Control-Allow-Origin
Cross-origin resource sharing (CORS) header, which specifies the domain allowed to access resources. If a source request host is configured as a header parameter value, it will be filled in to the response header. You can also set it as * to allow all domains to access resources. For more information, see Access-Control-Allow-Origin Match Mode Description.The wildcard *, domain names, and IPs are supported. http:// or https:// must be contained. Please separate multiple ones with ,, and up to 1000 characters are supported. E.g., http://test.com,http://1.1.1.1.
Access-Control-Allow-Methods
Specifies the CORS HTTP request method and supports multiple methods at the same time: Access-Control-Allow-Methods: POST, GET, OPTIONS.
Access-Control-Max-Age
Specifies the validity period (in seconds) of a preflight request.For a non-simple CORS request, an HTTP query request, namely the preflight request, is needed before the official communication to check whether the CORS request is secure to be accepted. A CORS request is non-simple if it is:Not a GET, HEAD, or POST request, or it is a POST request but its request data type is application/xml, text/xml or any other data type except application/x-www-form-urlencoded, multipart/form-data, and text/plain.For example, if a custom request header is Access-Control-Max-Age:1728000, there will not be another CORS preflight request sent within 1,728,000 seconds (20 days).
Access-Control-Expose-Headers
Specifies which headers can be exposed to clients as a part of responses.By default, these 6 headers can be exposed to clients: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma.If you want to make other headers accessible to clients, you can separate multiple headers with ,, e.g., Access-Control-Expose-Headers: Content-Length,X-My-Header. In this way, clients can access the two headers Content-Length and X-My-Header.
Content-Disposition
Activates download in the browser and sets the default filename of the downloaded resource.When a server sends files to a client browser, with the file types such as TXT and JPG supported by the browser, the files will be directly opened in the browser by default. If you want the user to save the files, you can configure the Content-Disposition field to override the browser's default behavior. The common configuration is as follows:Content-Disposition:attachment;filename=FileName.txt
Content-Language
Specifies the language code used on the page. The common configuration is as follows:Content-Language: zh-CNContent-Language: en-US
Custom
Supports custom header and key-value pair settings.A custom header parameter supports 1-100 characters of uppercase and lowercase letters, digits, and hyphens (-).The parameter value supports 1-1000 characters excluding Chinese characters.
Access-Control-Allow-Origin match mode introduction
Match Mode
Origin Value
Description
Full match
*
If it is set to *, the header Access-Control-Allow-Origin:* will be added to the response.
The source https://cloud.tencent.com hits the list, so the header Access-Control-Allow-Origin: https://cloud.tencent.com will be added to the response.
The source https://www.qq.com does not hit the list, so the response will not change.
Second-level wildcard domain name match
https://*.tencent.com
The source https://cloud.tencent.com hits the list, so the header Access-Control-Allow-Origin: https://cloud.tencent.com will be added to the response.
The source https://cloud.qq.com does not hit the list, so the response will not change.
Port match
https://cloud.tencent.com:8080
The source https://cloud.tencent.com:8080 hits the list, so the header Access-Control-Allow-Origin:https://cloud.tencent.com:8080 will be added to the response.
The source https://cloud.tencent.com does not hit the list, so the response will not change.
Note:
If there are special ports, you need to enter the relevant information in the list. You must specify the port as arbitrary port match is not supported.
Notes
The headers below are not supported and will not take effect if configured:
Yes
No
Was this page helpful?