CloudFront sent Authorization header to the origin request that was not included in the origin request policy.

0

I set up a CloudFront with a Gateway API as the origin. In Action, I added this origin and set the cache policy to the preset Managed-CachingDisabled, Origin Request Policy Is Disable. The Gateway API finally prints the entire request body, and I noticed that the Authorization header appears.

From https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#, I understand that if an origin request policy is not set, Authorization should not be forwarded by default. Why is this header being received in the end?

I Set a Edge Function In Viewer Request. It will verify Authorization Header and add a header 'uuid' . I think it's unrelated to this problem, because i even can't receive this ‘uuid’ header uuid when i test this problem. I didn't set original header in original setting.

asked 5 months ago104 views
1 Answer
0

For custom origins CloudFront will forward the Authorization header in some instances if you do not have CloudFront configured to cache based on header values. This would be the case if you're using the Managed-CachingDisabled cache policy. This behavior changes based on the request type as follows:

  • GET and HEAD requests – CloudFront removes the Authorization header field before forwarding the request to your origin.

  • OPTIONS requests – CloudFront removes the Authorization header field before forwarding the request to your origin if you configure CloudFront to cache responses to OPTIONS requests. CloudFront forwards the Authorization header field to your origin if you do not configure CloudFront to cache responses to OPTIONS requests.

  • DELETE, PATCH, POST, and PUT requests – CloudFront does not remove the header field before forwarding the request to your origin.

See the section "HTTP request headers and CloudFront behavior (custom and Amazon S3 origins)" from [1] for a table of request headers and corresponding CloudFront behaviors.

[1] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions