Custom HTTP headers

Introduction

To add custom HTTP headers to a certain content on your storage (and subsequently on CDN) you can make use of Apache .htaccess file on your storage. Please refer to Apache HTTP Server Tutorial: .htaccess files for more details.

Examples

Setting cache expiry time

You can control cache expiry time of your content.

# 30 DAYS
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
    Header add Cache-Control "max-age=2592000, public"
</FilesMatch>

# 2 DAYS
<FilesMatch "\.(xml|txt)$">
    Header add Cache-Control "max-age=172800, public, must-revalidate"
</FilesMatch>

# 2 HOURS
<FilesMatch "\.(html|htm)$">
    Header add Cache-Control "max-age=7200, must-revalidate"
</FilesMatch>

# NO CACHE
<FilesMatch "\.(html|htm)$">
    Header add Cache-Control "no-cache"
</FilesMatch>

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer to Setting a Cache Expiry Time for more details on cache control on CDN end.

Setting CORS

You can enable Cross Origin Resource Sharing (CORS).

<FilesMatch ".(eot|ttf|otf|woff)$">
	Header set Access-Control-Allow-Origin "*"
</FilesMatch>

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.

Setting MIME type

You can control MIME type of your content.

AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType font/woff .woff

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.

Adding Canonical header

You can add Canonical HTTP header to your content.

<FilesMatch "\.(jpg|jpeg|png|gif)$">
    RewriteEngine On
    SetEnvIf Request_URI "^(.*)$" CANONICAL_URL=$1
    Header add Link '<https://cdn.mycompany.com%{CANONICAL_URL}e>; rel="canonical"'
</FilesMatch>

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.

Force download

To force download of some content (e.g., PDF files) you can use the following. 

<FilesMatch "\.pdf$">
        Header set Content-Type "application/octet-stream"
        Header set Content-Disposition "attachment"
</FilesMatch>

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers.

Protection against directories scanning

Let's assume that you store your files on your CDN storage similarly to the following. 

/public/b/f/k/bfk.mp3
/public/m/9/0/m90.mp3
/public/z/9/c/z9c.mp3

Let's assume that cdn.mycompany.com is the Service Domain of your push CDN service using the CDN storage as origin and that you have the URL http://cdn.mycompany.com/b/f/k/bfk.mp3 in your HTML source code.

Directories scanning

Attackers may start to scan http://cdn.mycompany.com to find more your files. By default (directory listing disabled) when they access http://cdn.mycompany.com/b/ then 403 (Forbidden) is returned (because directory listing is disabled) and when they access http://cdn.mycompany.com/does-not-exist/ then 404 (Not Found) is returned. This information helps attackers with directories scanning because they are able to find out if a directory exists (returns 403) or not (returns 404).

Protection against directories scanning

With the following you can configure your CDN storage and the corresponding push CDN service using the CDN storage as origin to return 404 (Not Found) for all directories. 

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [R=404,L]

All your files will still be returning 200 (OK) but all your directories (existing or not) will be returning 404 (Not Found).

Notes

Use curl online tool to make sure that your origin content (content on your CDN storage) returns the desired HTTP headers.

Example

curl -I http://u8206939108129.s.push-12.cdnsun.com/photo.jpg
HTTP/1.1 200 OK
Date: Tue, 12 May 2015 14:35:22 GMT
Server: Apache
Last-Modified: Wed, 11 Feb 2015 18:54:49 GMT
ETag: "3b8001e-3395b-50ed489a99040"
Accept-Ranges: bytes
Content-Length: 211291
Cache-Control: public
Expires: Wed, 11 May 2016 14:35:22 GMT
Content-Type: image/jpeg

Please note that the u8206939108129 in the above origin URL corresponds to the username of your CDN storage used to upload your data to it.

Please note that your command line curl might not work as expected when requesting storage URLs as above. It is because content on storages is not publicly accessible and is supposed to be requested only via a CDN service. Please use our curl online tool instead.

Please note that after changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers.

What next?

Read about the following topics.

Contact Us

  _  _     ______    ______  
 | \| ||  /_   _//  /_   _// 
 |  ' ||   -| ||-   `-| |,-  
 | .  ||   _| ||_     | ||   
 |_|\_||  /_____//    |_||   
 `-` -`   `-----`     `-`'