This document describes how to use the Performance & Delivery Rules builder to create rules to control request and response headers and response cookies.
For general information about the Performance & Delivery Rules screen, see Configuring Performance & Delivery Rules in the Portal.
In the rule builder screen, select criteria you want to use to decide to set up headers or cookie rules. Then specify either Response cookie, Response headers, or Request headers.
For example, here we want to remove the Accept-Encoding header from the request:
These settings are described below.
Request and Response header
The choices are Append (default), Set, or Delete.
- Append means that the header and value you specify will be added to the existing request or response header.
- Set means that the header and value you specify will replace the existing request or response header.
- Delete means the header you specify will be deleted from the existing request or response header.
You can manipulate as many headers as you need by clicking the + button to the right to add another line:
These settings allow you to add or remove downstream cookies. This creates Set-Cookie header(s) in the response to the client. These modifications are applied after any changes made by response header settings.
Adds a Set-Cookie header to create or delete a cookie on the client. There are two possible values:
Set: adds a Set-Cookie header to create a cookie. While it is not recommended, there can be multiple Set-Cookie headers that specify the same cookie-name, domain-value, and path-value. In this case a compliant downstream will process the Set-Cookie headers in order and overwrite older values with newer ones.
Delete: adds a Set-Cookie header to delete a cookie. HTML doesn't have an explicit way to delete a cookie, so to do this we follow the common convention of setting the expire time to 0 (meaning 0 epoch time). This causes the client to remove the cookie.
For setting cookies, you specify the following:
- Cookie name
- Cookie value
- TTL: an integer number of seconds, minutes, hours, or days
- Domain: the cookie domain. If not specified, it defaults to the domain of the requested resource.
- Path: the cookie path. If not specified, it defaults to the path of the requested resource.
- Secure: whether or not the cookie is secure. The default is False.
- HTTP only: this can be set to True to enable the cookie to be sent on HTTP requests only. The default value is False.
Example of setting a cookie:
Delete means the cookie you specify will be deleted from the existing request or response header. You only need to specify the Cookie name.
Example of deleting a cookie:
As with Request and Response headers, you can set and/or delete as many cookies as you need by clicking the + button to the right to add another line.