Checking CORS on the CDN side

Last update: April 15 2026

When a user requests your content from another site, the user's browser may block the request, then the user will not receive the content. The CORS mechanism, using Access-Control-* headers, allows the browser to skip the request so that the user receives the content. See the example in the CORS Example subsection for more details.

By default, CDN-side CORS checking is enabled and applies to all resource files. You can control the CORS settings.

If CORS checking is configured on the content source server, we recommend disabling CORS checking on the CDN side so that headers can be transferred from the source without modification.

If you add personal HTTP headers to the response to a user, they will be added to the response after CORS validation. If the personal header and the header specified in CORS match, the response to the user will display the value of the personal header. For example, the Access-Control-Allow-Origin header in CORS is set to https://example.com and the personal header value is set to *. After the CORS check, the browser will receive the Access-Control-Allow-Origin:*. header in the response.

CORS check example

For example, a not-my-site.com user opens an image that is located on your site at cdn.my-site.com/image.jpg.

The user's browser sends a request to the domain server cdn.my-site.com/image.jpg with an Origin header that points to the source of the request (in the example, Origin: http://not-my-site.com).

The cdn.my-site.com domain server checks the contents of the Origin header in the request:

• if the domain is resolved, the server will pass an Access-Control-Allow-Origin: https://not-my-site.com header in the response to the browser, which will allow the browser to display the image for the not-my-site.com user.
• If the domain is not allowed, the server will not pass the Access-Control-Allow-Origin header in the response to the browser. The browser will block the request and will not display the image to the user.

Manage CORS parameters

You can customize the CORS validation settings:

• add the allowed domains;
• add allowed request headers;
• add allowed headers for the API (Expose Headers);
• select the allowed HTTP methods;
• add an Access-Control-Allow-Credentials header;
• Add an Access-Control-Allow-Origin header to all responses;
• specify the time to cache the response to a Preflight request.

Add Allowed Domains

By default, your content is accessible from any domain. An Access-Control-Allow-Origin:*. header is passed to the browser in response.

You can allow specific domains to access content. The response will indicate the domain from which the request came. For example: Access-Control-Allow-Origin: https://example.com.

A request with a domain that is not in the list of allowed domains does not receive the Access-Control-Allow-Origin header in the response. The browser blocks the request and the user does not receive the content.

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headers tab.

3. Make sure that the Enable CORS settings checkbox is selected in the CORS Check box on the CDN side.

4. Specify the allowed domain to which the setting applies. Enter a domain without a protocol, such as example.com. You can use:

   • example.com - exact match;
   • *.example.com - all subdomains of the main domain, not including the main domain. For example, all subdomains example.com not including example.com;
   • .example.com - all third-level subdomains, including the main domain. For example: all subdomains example.com including example.com;
   • regular expression to specify a complex rule. For example, ~ad+.example.com.

5. If you need to add multiple allowed domains, click Add Domain and repeat step 4.

6. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.

Add allowed request headers

To prevent the browser from blocking requests to a source with personalized headers, you can add personalized headers to the list of allowed headers.

By default, headers are allowed:

• Accept;
• Accept-Language;
• Content-Type;
• Content-Language.

You can also add additional headers. The response to the browser will pass the Access-Control-Allow-Headers header:<allowed_header>, where <allowed_header> is the name of the allowed header.

A request with a header that is not in the list of allowed headers does not receive an Access-Control-Allow-Headers header in response. The browser blocks the request, and the user does not receive the content.

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headers tab.

3. Make sure that the Enable CORS settings checkbox is selected in the CORS Check box on the CDN side.

4. In the Secure Request Headers list, enter a header and click . The header is added to the list of allowed headers.

5. Optional: in the Safe Request Headers list, select headers if you have already added them.

6. If you have not added headers yet, enter a header and click . The header will be added to the list of allowed headers.

7. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.

Add Allowed Headers for API (Expose Headers)

To prevent the browser from blocking requests to a source with personalized headers, you can add personalized headers to the list of allowed headers.

By default, headers are allowed:

• Cache-Control;
• Content-Language;
• Content-Type;
• Expires;
• Last-Modified;
• Pragma;
• Content-Range.

You can also add additional headers. The response passes the Access-Control-Expose-Headers header to the browser :<expose_header>, where <expose_header> is the name of the allowed header.

A request with a header that is not in the list of allowed headers does not receive an Access-Control-Expose-Headers header in response. The browser blocks the request, and the user does not receive the content.

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headings tab.

3. Make sure the Enable CORS settings checkbox is selected in the Expose Headers available to top-level APIs block.

4. In the Secure Request Headers list, enter a header and click . The header is added to the list of allowed headers.

5. Optional: in the Expose Headers list, select the headers available to the top-level API if you have already added them.

6. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.

Select allowed HTTP methods

To prevent the browser from blocking a request to a source with certain HTTP methods, you can add the methods to the list of allowed methods.

The following methods are allowed by default: GET, HEAD, POST, OPTIONS. They cannot be disabled.

You can optionally select the allowed methods. In the response, the browser receives the Access-Control-Allow-Methods `` header ``:<allowed_method>, where <allowed_header> is the name of the allowed method.

A request with a method that is not in the list of allowed methods does not receive the Access-Control-Allow-Methods header in response. The browser blocks the request, and the user does not receive the content.

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headings tab.

3. Make sure that the Enable CORS settings checkbox is selected in the CORS Check box on the CDN side.

4. In the Safe Methods list, select the methods you want to allow:

   • PUT;
   • PATCH;
   • DELETE;
   • OPTIONS.

5. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.

Add Access-Control-Allow-Credentials header

When enabled, the CDN will add an Access-Control-Allow-Credentials: true header to the response - this header allows cookies and authorization data to be transmitted. The header is added to the response only if the request passes the CORS check.

When this header is added, the request is sent directly to the content source. The CDN does not cache the response to such a request because it contains personal user data.

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headers tab.

3. Make sure that the Enable CORS settings checkbox is selected in the CORS Check box on the CDN side.

4. Check the Access-Control-Allow-Credentials Header checkbox.

5. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.

Add an Access-Control-Allow-Origin header to all responses

When enabled, the CDN will add an Access-Control-Allow-Origin header to every request response, including those that return an error in the response. This allows you to handle requests that ended in an error.

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headers tab.

3. Make sure that the Enable CORS settings checkbox is selected in the CORS Check box on the CDN side.

4. Check the Access-Control-Allow-Origin Header always checkbox.

5. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.

Specify the time to cache the response to a Preflight request

Preflight request is a preliminary request using the OPTIONS method, which is sent before the actual request. Its task is to check in advance that the request is allowed. Only after the preflight request has been verified, the real request is sent.

By default, the browser sends a Preflight request every time. You can specify a caching time for the Preflight request response to speed up content delivery.

The cache time is passed in the Access-Control-Max-Age header.

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headers tab.

3. Make sure that the Enable CORS settings checkbox is selected in the CORS Check box on the CDN side.

4. In the Preflight request response lifetime field, specify a value in seconds. The larger the value, the less often the browser sends Preflight requests.

5. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.

Disable CORS checking on CDN side

1. In the Control Panel, on the top menu, click Products and select CDN.

2. In the CDN Resources section, open the resource page → Headings tab.

3. In the CORS Validation block on the CDN side, uncheck the Enable CORS settings checkbox.

4. Click Apply. The resource will be in PROCESSING status while the settings are being applied . You cannot apply any other settings at this time. The settings will be applied when the share changes to ACTIVE status.