Posted On: Nov 2, 2021

Today, Amazon CloudFront is launching support for response headers policies. You can now add cross-origin resource sharing (CORS), security, and custom headers to HTTP responses returned by your CloudFront distributions. You no longer need to configure your origins or use custom Lambda@Edge or CloudFront functions to insert these headers. 

You can use CloudFront response headers policies to secure your application’s communications and customize its behavior. With CORS headers, you can specify which origins a web application is allowed to access resources from. You can insert any of the following security headers to exchange security-related information between web applications and servers: HTTP Strict Transport Security (HSTS), X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Content-Security-Policy. For example, HSTS enforces the use of encrypted HTTPS connections instead of plain-text HTTP. You can also add customizable key-value pairs to response headers using response headers policies, to modify a web applications behavior. Response headers you insert are also accessible to Lambda@Edge functions and CloudFront functions, enabling more advanced custom logic at the edge.

With this release, CloudFront is also providing several pre-configured response headers policies. These include policies for default security headers, a CORS policy allowing resource sharing from any origin, a pre-flight CORS policy allowing all HTTP methods, and policies combining default security headers with CORS or pre-flight CORS. You can also create your own custom policies for various content and application profiles and apply them to any CloudFront distribution’s cache behavior that may have similar characteristics.

CloudFront response headers policies are available for immediate use via the CloudFront Console, the AWS SDKs, and the AWS CLI. For more information, refer to the CloudFront Developer Guide. There is no additional fee for using the CloudFront response headers policies.