Introduction
To add custom HTTP headers to a certain content on your storage (and subsequently on CDN) you can make use of Apache .htaccess file on your storage. Please refer to Apache HTTP Server Tutorial: .htaccess files for more details.
Setting Cache-Control
You can control cache expiry time of your content.
# 30 DAYS - Static assets (images, CSS, JS, etc.)
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
# 1 DAY - Text-based files (XML, TXT)
<FilesMatch "\.(xml|txt)$">
Header set Cache-Control "max-age=86400, public, must-revalidate"
</FilesMatch>
# NO CACHE - Prevent caching for HTML pages
<FilesMatch "\.(html|htm)$">
Header set Cache-Control "no-store, no-cache, must-revalidate, private"
</FilesMatch>
After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer to Setting a Cache Expiry Time for more details on cache control on CDN end.
Setting CORS
You can enable Cross Origin Resource Sharing (CORS).
<FilesMatch ".(eot|ttf|otf|woff)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch>
After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.
Setting Cache-Control for HLS Streaming
You can configure caching for HLS playlists and segment files to optimize streaming performance.
# HLS Playlist files (.m3u8) - No caching (important for live streaming)
<FilesMatch "\.m3u8$">
Header set Cache-Control "no-cache, no-store, must-revalidate"
</FilesMatch>
# HLS Segment files (.ts) - Cache for 30 minutes
<FilesMatch "\.ts$">
Header set Cache-Control "max-age=1800, public, must-revalidate"
</FilesMatch>
After changing origin HTTP headers, you may need to purge your content from the CDN cache, as it may be cached with the old HTTP headers.
Setting MIME type
You can control MIME type of your content.
# Custom fonts AddType font/ttf .ttf AddType font/eot .eot AddType font/otf .otf AddType font/woff .woff # HLS streaming AddType application/vnd.apple.mpegurl .m3u8 AddType video/MP2T .ts
After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.
Adding Canonical header
You can add Canonical HTTP header to your content.
<FilesMatch "\.(jpg|jpeg|png|gif)$">
RewriteEngine On
SetEnvIf Request_URI "^(.*)$" CANONICAL_URL=$1
Header add Link '<https://cdn.mycompany.com%{CANONICAL_URL}e>; rel="canonical"'
</FilesMatch>
After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.
Force download
To force download of some content (e.g., PDF files) you can use the following.
<FilesMatch "\.pdf$">
Header set Content-Type "application/octet-stream"
Header set Content-Disposition "attachment"
</FilesMatch>
After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers.
Protection against directories scanning
Let's assume that you store your files on your CDN storage similarly to the following.
/public/b/f/k/bfk.mp3
/public/m/9/0/m90.mp3
/public/z/9/c/z9c.mp3
Let's assume that cdn.mycompany.com is the Service Domain of your push CDN service using the CDN storage as origin and that you have the URL https://cdn.mycompany.com/b/f/k/bfk.mp3 in your HTML source code.
Directories scanning
Attackers may start to scan https://cdn.mycompany.com to find more your files. By default (directory listing disabled) when they access https://cdn.mycompany.com/b/ then 403 (Forbidden) is returned (because directory listing is disabled) and when they access https://cdn.mycompany.com/does-not-exist/ then 404 (Not Found) is returned. This information helps attackers with directories scanning because they are able to find out if a directory exists (returns 403) or not (returns 404).
Protection against directories scanning
With the following you can configure your CDN storage and the corresponding push CDN service using the CDN storage as origin to return 404 (Not Found) for all directories.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [R=404,L]
All your files will still be returning 200 (OK) but all your directories (existing or not) will be returning 404 (Not Found).
Notes
Use our Check Content tool to make sure that your origin content (content on your CDN storage) returns the desired HTTP headers.
Please note that after changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers.
What next?
Read about the following topics.