tencent cloud


HTTP Response Header

Last updated: 2022-02-26 13:47:37

    Configuration Overview

    When an end user requests a business resource, you can add a custom header in the returned response message to implement cross-origin resource sharing.
    Response header configuration is of the domain name dimension, therefore, once the configuration takes effect, it will be synced to the response message of each resource under the domain name. Response header configuration only makes changes to the client (browser) response but not to the CDN node cache.


    Viewing the configuration

    Log in to the CDN Console, select Domain Management on the left sidebar, and click Manage on the right of a domain name to enter its configuration page. Open the Advanced Configuration tab to find the Response Header Configuration setting, which is disabled by default. You can click Add Rule to add HTTP response header rules.

    Operation type

    Operation Description
    Set Changes the value of a specified response header parameter.
    If the target header does not exist, it will be added after the change operation.
    If the header parameter already exists, all the duplicates will be changed and merged into one header. For example, after the rule "Set - x-cdn: value1" is configured, if a request contains multiple x-cdn headers, the headers will be changed and merged into one header x-cdn: value1.
    Delete Deletes a specified response header parameter.

    • Some headers cannot be set or deleted in a self-service manner. For the detailed list, see Notes.
    • Up to 10 HTTP response header rules can be configured.
    • Rule priority can be adjusted. Rules at the bottom of the list have higher priority. If a header parameter is configured with multiple rules, the bottom rule will take effect as rules are executed from bottom to top.

    Header parameter

    Header Parameter Description
    Access-Control-Allow-Origin Cross-origin resource sharing (CORS) header, which specifies the domain allowed to access resources. If a source request host is configured as a header parameter value, it will be filled in to the response header. You can also set it as * to allow all domains to access resources. For more information, see Access-Control-Allow-Origin Match Mode Description.
    The wildcard *, domain names, and IPs are supported. http:// or https:// must be contained. Please separate multiple ones with ,, and up to 1000 characters are supported. E.g., http://test.com,
    Access-Control-Allow-Methods Specifies the CORS HTTP request method and supports multiple methods at the same time:
    Access-Control-Allow-Methods: POST, GET, OPTIONS.
    Access-Control-Max-Age Specifies the validity period (in seconds) of a preflight request.
    For a non-simple CORS request, an HTTP query request, namely the preflight request, is needed before the official communication to check whether the CORS request is secure to be accepted. A CORS request is non-simple if it is:
    Not a GET, HEAD, or POST request, or it is a POST request but its request data type is application/xml, text/xml or any other data type except application/x-www-form-urlencoded, multipart/form-data, and text/plain.
    For example, if a custom request header is Access-Control-Max-Age:1728000, there will not be another CORS preflight request sent within 1,728,000 seconds (20 days).
    Access-Control-Expose-Headers Specifies which headers can be exposed to clients as a part of responses.
    By default, these 6 headers can be exposed to clients: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma.
    If you want to make other headers accessible to clients, you can separate multiple headers with ,, e.g., Access-Control-Expose-Headers: Content-Length,X-My-Header. In this way, clients can access the two headers Content-Length and X-My-Header.
    Content-Disposition Activates download in the browser and sets the default filename of the downloaded resource.
    When a server sends files to a client browser, with the file types such as TXT and JPG supported by the browser, the files will be directly opened in the browser by default. If you want the user to save the files, you can configure the Content-Disposition field to override the browser's default behavior. The common configuration is as follows:
    Content-Language Specifies the language code used on the page. The common configuration is as follows:
    Content-Language: zh-CN
    Content-Language: en-US
    Custom Supports custom header and key-value pair settings.
    A custom header parameter supports 1-100 characters of uppercase and lowercase letters, digits, and hyphens (-).
    The parameter value supports 1-1000 characters excluding Chinese characters.

    Access-Control-Allow-Origin match mode introduction

    Match Mode Origin Value Description
    Full match * If it is set to *, the header Access-Control-Allow-Origin:* will be added to the response.
    Fixed match http://cloud.tencent.com https://cloud.tencent.com http://www.b.com The source https://cloud.tencent.com hits the list, so the header Access-Control-Allow-Origin: https://cloud.tencent.com will be added to the response.
    The source https://www.qq.com does not hit the list, so the response will not change.
    Second-level wildcard domain name match https://*.tencent.com The source https://cloud.tencent.com hits the list, so the header Access-Control-Allow-Origin: https://cloud.tencent.com will be added to the response.
    The source https://cloud.qq.com does not hit the list, so the response will not change.
    Port match https://cloud.tencent.com:8080 The source https://cloud.tencent.com:8080 hits the list, so the header Access-Control-Allow-Origin:https://cloud.tencent.com:8080 will be added to the response.
    The source https://cloud.tencent.com does not hit the list, so the response will not change.

    If there are special ports, you need to enter the relevant information in the list. You must specify the port as arbitrary port match is not supported.


    The headers below are not supported and will not take effect if configured:

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support