Custom HTTP headers

Introduction

To add custom HTTP headers to a certain content on your storage (and subsequently on CDN) you can make use of Apache .htaccess file on your storage. Please refer to Apache HTTP Server Tutorial: .htaccess files for more details.

Setting Cache-Control

You can control cache expiry time of your content.

# 30 DAYS - Static assets (images, CSS, JS, etc.)
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
    Header set Cache-Control "max-age=2592000, public"
</FilesMatch>

# 1 DAY - Text-based files (XML, TXT)
<FilesMatch "\.(xml|txt)$">
    Header set Cache-Control "max-age=86400, public, must-revalidate"
</FilesMatch>

# NO CACHE - Prevent caching for HTML pages
<FilesMatch "\.(html|htm)$">
    Header set Cache-Control "no-store, no-cache, must-revalidate, private"
</FilesMatch>

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer to Setting a Cache Expiry Time for more details on cache control on CDN end.

Setting CORS

You can enable Cross Origin Resource Sharing (CORS).

<FilesMatch ".(eot|ttf|otf|woff)$">
	Header set Access-Control-Allow-Origin "*"
</FilesMatch>

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.

Setting Cache-Control for HLS Streaming

You can configure caching for HLS playlists and segment files to optimize streaming performance.

# HLS Playlist files (.m3u8) - No caching (important for live streaming)
<FilesMatch "\.m3u8$">
    Header set Cache-Control "no-cache, no-store, must-revalidate"
</FilesMatch>

# HLS Segment files (.ts) - Cache for 30 minutes
<FilesMatch "\.ts$">
    Header set Cache-Control "max-age=1800, public, must-revalidate"
</FilesMatch>

After changing origin HTTP headers, you may need to purge your content from the CDN cache, as it may be cached with the old HTTP headers.

Setting MIME type

You can control MIME type of your content.

# Custom fonts
AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType font/woff .woff
# HLS streaming
AddType application/vnd.apple.mpegurl .m3u8
AddType video/MP2T .ts

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.

Adding Canonical header

You can add Canonical HTTP header to your content.

<FilesMatch "\.(jpg|jpeg|png|gif)$">
    RewriteEngine On
    SetEnvIf Request_URI "^(.*)$" CANONICAL_URL=$1
    Header add Link '<https://cdn.mycompany.com%{CANONICAL_URL}e>; rel="canonical"'
</FilesMatch>

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers. Please refer here for more details.

Force download

To force download of some content (e.g., PDF files) you can use the following.

<FilesMatch "\.pdf$">
        Header set Content-Type "application/octet-stream"
        Header set Content-Disposition "attachment"
</FilesMatch>  

After changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers.

Protection against directories scanning

Let's assume that you store your files on your CDN storage similarly to the following.

/public/b/f/k/bfk.mp3
/public/m/9/0/m90.mp3
/public/z/9/c/z9c.mp3

Let's assume that cdn.mycompany.com is the Service Domain of your push CDN service using the CDN storage as origin and that you have the URL https://cdn.mycompany.com/b/f/k/bfk.mp3 in your HTML source code.

Directories scanning

Attackers may start to scan https://cdn.mycompany.com to find more your files. By default (directory listing disabled) when they access https://cdn.mycompany.com/b/ then 403 (Forbidden) is returned (because directory listing is disabled) and when they access https://cdn.mycompany.com/does-not-exist/ then 404 (Not Found) is returned. This information helps attackers with directories scanning because they are able to find out if a directory exists (returns 403) or not (returns 404).

Protection against directories scanning

With the following you can configure your CDN storage and the corresponding push CDN service using the CDN storage as origin to return 404 (Not Found) for all directories.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [R=404,L]

All your files will still be returning 200 (OK) but all your directories (existing or not) will be returning 404 (Not Found).

Notes

Use our Check Content tool to make sure that your origin content (content on your CDN storage) returns the desired HTTP headers.

Please note that after changing origin HTTP headers you might need to purge your content from the CDN cache as it is cached with the old HTTP headers.

What next?

Read about the following topics.

Contact Us

  _  __     ___      _  _   
 | |/ //   / _ \\   | \| || 
 | ' //   | / \ ||  |  ' || 
 | . \\   | \_/ ||  | .  || 
 |_|\_\\   \___//   |_|\_|| 
 `-` --`   `---`    `-` -`