Skip to main content

Headers Sent by CDN to User and Origin Server

When a website uses ArvanCloud CDN, requests from visitors to that site will go to ArvanCloud CDN servers instead of the origin server hosting the site. In response to these requests, the CDN edge server sends a number of headers to the visitor, which can be used to know the status of the sent request as well as the server's response.

Also, if a request is sent from the CDN edge server to the main website hosting server, headers are added to this request. These headers can also be personalized, which is available to users of the Enterprise plan.

In the following document, each of these headers and their details are stated.

Headers Sent to User

X-Request-Id

This header assigns a unique code to each request sent from the visitor's side to the CDN's edge server so that if needed, the status of the CDN's request can be found by searching for it.

Also, if the user uses ArvanCloud log forwarding, they can get detailed information about the status of the request by searching for the value of this header in the logs.

X-Sid

A four-digit code indicating the unique number of the CDN edge server to which the visitor is connected.

Server-Timing

This header indicates how long it took the CDN server to receive the relevant content. This download can be from the cache in the CDN or from the origin server. The value of this header is written in milliseconds.

X-Cache

When the resources of your website are cached on the edge servers of ArvanCloud, X-Cache allows you to know the cache status of these resources by adding a special header with the name.

In this header, the cache status can be one of the following:

  • HIT Recording this status in X-Cache indicates that the requested resource is cached on ArvanCloud edge servers and the response has been received from these servers.
  • MISS This situation means that the requested resource does not exist on our edge servers and the response is from the origin server of the website.
  • EXPIRED This status means that the requested resource is available on ArvanCloud's edge server, but because the cache has expired the origin server of the site has responded to this request.
  • STALE This status indicates that ArvanCloud edge server has sent an old and expired resource in response because it is simultaneously validating this resource from the origin server hosting the site due to another user's request. It should be noted that this situation rarely occurs.
  • BYPASS This status means that the requested resource cannot be cached.
  • REVALIDATED This state means that ArvanCloud edge server has used the old version of the requested resource in its cache to respond. The difference is that in this case, the edge server has validated this resource using the header If-Modified-Since or If-None-Match from the origin server hosting the site.
  • UPDATING This status indicates that the requested resource is being updated on ArvanCloud edge server, and the response that was sent now was the old version in the cache of this server. This situation usually happens when a large resource (in terms of size) is being cached on the edge server.

X-Xss-Protection

XSS attack is a type of web vulnerability that exists in many websites. Unfortunately, web developers ignore this bug or don't know enough about how to prevent it. This is while this security breach is very dangerous. Using various methods, the attacker injects his arbitrary JavaScript or HTML code into the browser of user or users of the page that has an XSS bug. Then these codes are executed in the user's browser and expose them to various and very dangerous risks. Modern browsers have several capabilities to deal with XSS attacks, which are usually enabled by default. To use this feature in browsers, it is enough to use the X-Xss-Protection header in response to a browser's request.

Content-Security-Policy

When a website uses the HTTPS protocol, but there are still links with the HTTP protocol in its HTML pages, in order to maintain security, an error called Mixed Content is shown by the browser.

There is an option in ArvanCloud panel and in the HTTPS settings section that can be used to fix this problem.

By activating this feature, the Content-Security-Policy header is added to the headers sent to the user, and the browser is informed to change the desired link from HTTP to HTTPS if it encounters such a problem.

Strict-Transport-Security

By activating HSTS in Abar Arvan's CDN panel, this header is added to the headers sent to the user, and in this way, the browser is informed that within a certain period of time (such as a month), if the first request of the desired website was HTTP, it Automatically convert to an HTTPS request from the browser side.

Headers Sent to Origin Server

X-Sid

It is a four-digit code and the unique number of the CDN server from which the request was sent.

X-Real-IP

This is a standard HTTP header. When a website uses a CDN, if a request is sent from the visitor's side to the website, this request first reaches the CDN's edge servers and then to the origin server of the website. Therefore, in the IP field of the sender of the request, instead of the real IP of the user, the IP of the CDN server is placed.

Since many analytical and security processes require the user's real IP, the CDN server uses this HTTP header to send the user's real IP to the origin server.

X-Forwarded-Proto

This header is a de-facto standard header and specifies the protocol using which the request entered the CDN servers in the first step. For example, if a request is sent from the user side to the CDN with the HTTP protocol, and from the CDN to the origin server with the HTTPS protocol, this header shows the HTTP value.

The connection protocol between the visitor and the CDN servers, as well as between the CDN servers and the origin servers of the website, can be set separately in ArvanCloud CDN panel.

X-Forwarded-For

This header is similar to the X-Real-IP, the difference is that the IP of the proxy servers that the user's request has passed through to reach the origin server of the site is placed next to the user's main IP. In fact, this header is an array of IPs and indicates the order in which the request passes through multiple servers until it reaches the origin server of the site.

X-Country-Code

This header has a two-letter code that indicates the country from which the request was sent. This information is obtained by using the user's IP and extracting its country from the updated GeoIP databases.

X-Request-Id

This header assigns a unique code to each request sent to the CDN server so that when needed, you can find out about the status of the request in the CDN by searching and tracking it.

Also, if the user uses ArvanCloud log forwarding, they can get detailed information about the status of the request by searching for the value of this header in their logs.

CDN-Loop

This header helps ArvanCloud determine how many times a request can enter ArvanCloud's network before it is blocked as a loop. For example:

CDN-Loop: arvancloud; count=1

Accept-Encoding

By default, this header is set to the value for incoming requests with gzip. If one of the modules for image resizing, acceleration, or a CDN App is active, ArvanCloud sets the value of this header as follows:

Accept-Encoding: identify