Skip to main content
All CollectionsRulesRule Handlers
Set Response Header Handler
Set Response Header Handler

Learn how to add or modify HTTP headers in your responses to control caching behavior, enhance security, enable cross-origin functionality, or provide additional information to clients.

Drago Crnjac avatar
Written by Drago Crnjac
Updated over 3 weeks ago

What is the Set Response Header Handler?

The Set Response Header Handler allows you to add new HTTP headers or modify existing ones in responses before they're delivered to the client. Headers play a crucial role in HTTP communication, controlling aspects like caching, security policies, and cross-origin resource sharing. With this handler, you can implement these controls without modifying your upstream server's configuration.

How Set Response Header Handler Works

When a rule with a Set Response Header Handler matches an incoming request, the handler adds or modifies the specified headers in the response after it's received from your upstream server but before it's sent to the client. If a header with the same name already exists in the response, this handler will replace its value. If the header doesn't exist, it will be added.

This process is transparent to both your upstream server and the end user, allowing you to implement header-based functionality without changing your application code.

Configuration Options

The Set Response Header Handler requires a list of headers to set:

Option

Type

Required

Description

headers

array

Yes

An array of header objects to add or modify in the response

Each replacement object within the array has these properties:

Property

Type

Required

Description

name

string

Yes

The name of the header (case-insensitive, but conventional format is hyphenated with initial capitals)

value

string

Yes

The value to set for the header

API Reference

When working with Rules through the API, Set Response Header handlers are represented in JSON format. This is the same structure used in the API endpoints for creating and updating rules.

{
"type": "set_response_header",
"headers": [
{
"name": "X-Custom-Header",
"value": "custom-value"
},
{
"name": "Cache-Control",
"value": "max-age=3600"
}
]
}

In API requests, this handler would be included in the handlers array of a rule object:

{
"name": "Add Security Headers Rule",
"active": true,
"matchers": [],
"handlers": [
{
"type": "set_response_header",
"headers": [
{
"name": "Strict-Transport-Security",
"value": "max-age=31536000; includeSubDomains"
},
{
"name": "X-Content-Type-Options",
"value": "nosniff"
}
]
}
]
}

Configuration Examples

Example 1: Adding Security Headers

This handler will add essential security headers to all responses:

In the UI:

In the API:

{
"type": "set_response_header",
"headers": [
{
"name": "X-Frame-Options",
"value": "SAMEORIGIN"
},
{
"name": "Content-Security-Policy",
"value": "default-src 'self'"
}
]
}

Example 2: Configuring Cache Control

This handler will set caching directives for static assets:

In the UI:

In the API:

{
"type": "set_response_header",
"headers": [
{
"name": "Cache-Control",
"value": "max-age=604800, public"
}
]
}

This example helps browsers cache static content for one week, improving load times for returning visitors.

Example 3: Redirecting to a New Location

This handler, when combined with a Static Response, creates a redirect:

In the UI:

In the API:

{
"type": "set_response_header",
"headers": [
{
"name": "Location",
"value": "https://new-location.example.com/updated-page"
}
]
}

When used with a Static Response handler with status code 301 or 302, this will redirect users to the specified URL.

Common Use Cases

Here are some popular ways to use the Set Response Header Handler:

Enhancing Security

Implement modern security policies through headers:

  • Add HSTS headers to enforce HTTPS usage

  • Configure Content-Security-Policy to prevent XSS attacks

  • Set X-Frame-Options to prevent clickjacking

  • Add X-XSS-Protection headers for older browsers

  • Implement Feature-Policy to control browser features

Optimizing Caching

Control how browsers and CDNs cache your content:

  • Set Cache-Control headers for different content types

  • Add ETag headers for validation

  • Configure Expires headers for absolute expiration times

  • Use Vary headers to control cache variations

  • Implement stale-while-revalidate directives for optimal performance

Managing Cross-Origin Requests

Control how your resources are accessed across domains:

  • Configure Access-Control-Allow-Origin for permissible domains

  • Set Access-Control-Allow-Methods for allowed HTTP methods

  • Define Access-Control-Allow-Headers for acceptable headers

  • Add Access-Control-Max-Age to cache preflight requests

  • Support Access-Control-Allow-Credentials for authenticated requests

Implementing Redirects

Direct users to new locations without server configuration:

  • Set Location headers with destination URLs

  • Combine with Static Response handler using 301 (permanent) or 302 (temporary) status codes

  • Create conditional redirects based on complex path or query matching

Adding Custom Headers for Analytics

Pass additional information to analytics tools and services:

  • Add server-timing headers for performance tracking

  • Include custom headers with A/B test variations

  • Pass user segment information to edge analytics

  • Add tracking identifiers without client-side scripts

Setting Content Type and Encoding

Ensure proper content interpretation:

  • Set Content-Type headers for proper MIME type recognition

  • Add Content-Encoding for compression information

  • Set Charset parameters for text content

  • Configure Content-Language headers for internationalization

Combining with Other Handlers

The Set Response Header handler works well when combined with:

  • Static Response Handler: Add headers to static responses, especially for redirects

  • Rewrite Handler: Change the request destination and adjust headers accordingly

  • Replace Response Handler: Modify content and update headers to match

  • Delete Response Header Handler: Remove unwanted headers before adding new ones

The Set Response Header handler can be placed at different positions in your handler chain depending on your needs:

  • Before a Static Response handler to add headers to the custom response

  • After a Replace Response handler if the headers depend on the modified content

  • After a Delete Response Header handler to ensure clean header replacement

Best Practices

  • Use standard header names and formats where possible

  • Follow header naming conventions (hyphenated with initial capitals, like "Content-Type")

  • Be aware that header names are case-insensitive but values may be case-sensitive

  • Document your custom headers, especially for internal or debugging purposes

  • Test with different browsers to ensure compatibility

  • Keep header values reasonably sized (some servers reject very large headers)

  • Use a separate handler for security headers to make management easier

  • Be mindful of header interactions and conflicts

  • Follow specifications for standard headers to avoid unexpected behavior

Troubleshooting

If your Set Response Header handler isn't working as expected:

  • Verify that your matchers are correctly identifying the requests

  • Check for conflicts with headers already set by your upstream server

  • Ensure header values follow the correct format for each header type

  • Use browser developer tools to inspect the actual headers received

  • Check for any response code conditions that might affect header processing

  • Verify that header names don't contain invalid characters

  • Remember that some headers have restricted usage (e.g., Set-Cookie has specific requirements)

  • Test with different clients to ensure cross-browser compatibility

Limitations

  • Some headers have special handling in browsers and might not behave as expected

  • Certain headers can only be set by the browser (e.g., Cookie) and not by servers

  • Headers added by this handler will override those from your upstream server with the same name

  • Very long header values may be truncated by some proxies or clients

  • Some security headers require careful configuration to avoid breaking functionality

  • Cookies require specific formatting and attributes when using the Set-Cookie header

The Set Response Header handler provides powerful control over HTTP communication between your servers and clients. By strategically adding and modifying headers, you can enhance security, optimize performance, and enable advanced web functionality without changing your application code.

Until next time, keep building!


Need more help? Reach out via the Intercom chat widget and we'll be right with you!

Did this answer your question?