Header Parameter | Description |
Access-Control-Allow-Origin | Specifies which origins are allowed to access the resource. For requests from the allowed origins, the host is added to the request header. You can also configure it to * to allow requests from all origins. For more information, see [Access-Control-Allow-Origin match mode description] |
Access-Control-Allow-Methods | Indicates the HTTP methods allowed for cross-origin requests. You can configure one or more methods, as shown below: Access-Control-Allow-Methods: POST, GET, OPTIONS . |
Access-Control-Max-Age | Specifies the validity period (in seconds) of a preflight request. For a non-simple cross-origin request, an HTTP query request, namely the preflight request, is needed before the official communication to check whether the cross-origin request is secure to be accepted. A cross-origin request is non-simple if it is: not a GET, HEAD, or POST request, or it is a POST request but its request data type is application/xml, text/xml or any other data type except application/x-www-form-urlencoded, multipart/form-data, and text/plain. For example, if a custom request header is Access-Control-Max-Age: 1728000 , there will not be another preflight request sent for this CORS within 1,728,000 seconds (20 days). |
Access-Control-Expose-Headers | This specifies which headers can be exposed to clients as a part of responses. By default, these 6 headers can be exposed to clients: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma. If you want to make other headers accessible to clients, you can separate multiple headers with a comma, e.g., Access-Control-Expose-Headers: Content-Length,X-My-Header. In this way, clients can access the two headers Content-Length and X-My-Header. |
Mode | Value/Example | Description |
Allow all | * | When it is set to * , the header Access-Control-Allow-Origin:* will be added to the response, which means to allow requests from all origins. |
Specified domain | http://cloud.tencent.com https://cloud.tencent.com http://www.b.com | When a request is initiated from https://cloud.tencent.com , which hits the rule, the header Access-Control-Allow-Origin: https://cloud.tencent.com is added to the response. However when there is a request from https://www.qq.com , which does not hit the rule, the response is not changed. |
Specified second-level domain name | https://*.tencent.com | When a request is initiated from https://cloud.tencent.com , which hits the rule, the header Access-Control-Allow-Origin: https://cloud.tencent.com is added to the response. However when there is a request from https://cloud.qq.com , which does not hit the rule, the response is not changed. |
Specified port | https://cloud.tencent.com:8080 | When a request is initiated from https://cloud.tencent.com:8080 , which hits the rule, the header Access-Control-Allow-Origin:https://cloud.tencent.com:8080 is added to the response. However when there is a request from https://cloud.tencent.com , which does not hit the rule, the response is not change. |
Was this page helpful?