Header rules
A header rule adds, sets, or deletes a single HTTP header on requests or responses for URLs that match its URL operator. Leave the match value empty to apply the rule globally.
Fields
| Field | Type | Required | Notes |
|---|---|---|---|
name | string | Yes | Display name. |
pattern | string | No | The match value. Empty = global (applies to every request). Max length 500. |
matchType | integer | No | Equals=0, Contains=1, StartsWith=2, EndsWith=3, Regex=4. Defaults to Contains (1). |
action | integer | Yes | Add=0, Set=1, Delete=2. See Actions. |
headerName | string | Yes | The header to manipulate. Validated against protected headers — see below. |
headerValue | string | Conditional | Required for Add and Set; not needed for Delete. Max length 1000. |
applyToRequest | boolean | No | false (default) = response header; true = request header. |
order | integer | Yes | Lower runs first. See how rules work. |
isEnabled | boolean | Yes | Toggle without deleting. |
Actions
action | UI label | Behavior | headerValue |
|---|---|---|---|
0 | Add | Adds the header. | Required |
1 | Set/Replace | Sets the header, replacing any existing value. | Required |
2 | Delete | Removes the header. | Not used |
:::warning There is no separate "Replace" action
The shipped enum has only Add=0, Set=1, and Delete=2. The panel labels Set as "Set/Replace" because setting already replaces an existing value — there is no separate Replace value. Use Set (1) to overwrite.
:::
Request vs. response
The applyToRequest toggle decides which side the header is applied to:
applyToRequest: false(default) — modifies the response sent to the client.applyToRequest: true— modifies the request the edge sends upstream to your origin.
Protected headers
headerName is validated (case-insensitive) against a list of CDN-controlled protected headers on both create and update. Attempting to use a protected name returns:
400 Header '<name>' is protected and cannot be modified by user rules.
The panel blocks submission before the request is even sent, showing "This header is protected by the CDN and cannot be modified." Fetch the current list to validate client-side:
curl -H "X-Api-Key: pdm_YOUR_KEY" \
"https://api.paradarum.com/api/protected-headers"
Account scoping is automatic. The accountId is never sent by the client — it is taken from your API key or session, and a property that does not belong to your account returns 404 "Property not found." rather than 403.
Endpoints
POST /api/Property/{id}/rules/header
PUT /api/Property/{id}/rules/header/{ruleId}
POST returns 201 "Header rule created successfully."; PUT returns 200. Both run the protected-header check. See the full API reference.
Examples
Add a response header to every request
An empty pattern makes this rule global (POST /api/Property/42/rules/header):
{
"name": "Add cache-status header",
"pattern": "",
"matchType": 1,
"action": 0,
"headerName": "X-Custom-Header",
"headerValue": "served-by-paradarum",
"applyToRequest": false,
"order": 1,
"isEnabled": true
}
Delete a header, scoped to a path
Strip X-Powered-By from responses only under /api/ (StartsWith). Delete needs no headerValue:
{
"name": "Strip X-Powered-By under /api",
"pattern": "/api/",
"matchType": 2,
"action": 2,
"headerName": "X-Powered-By",
"applyToRequest": false,
"order": 2,
"isEnabled": true
}
curl -X POST "https://api.paradarum.com/api/Property/42/rules/header" \
-H "X-Api-Key: pdm_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Strip X-Powered-By under /api",
"pattern": "/api/",
"matchType": 2,
"action": 2,
"headerName": "X-Powered-By",
"applyToRequest": false,
"order": 2,
"isEnabled": true
}'
:::tip CORS for HLS playback
A common use is adding an Access-Control-Allow-Origin response header so players can fetch HLS segments cross-origin. See the HLS examples for a complete CORS rule set.
:::
Next steps
- HLS examples — header rules for CORS on streaming responses.
- Match operators — scope a header rule to specific URLs.
- API reference — full request and response schemas.