Posted On: Jan 13, 2023
Amazon CloudFront now supports the “Cloudfront-viewer-header-order” and "Cloudfront-viewer-header-count" headers, enabling customers to track the total number of HTTP headers sent with each request, as well as the order in which the headers were sent. Customers can use the two headers to detect and identify request patterns and compare them to the expected and legitimate patterns. This, used in conjunction with other access control rules, can help customers detect and block any attempts to spoof requests.
The “Cloudfront-viewer-header-order” header contains a list of request headers, in the order specified, separated by colons. For instance, "Cloudfront-viewer-header-order: Host:User-Agent:Accept:Accept-Encoding". The "Cloudfront-viewer-header-count" header stores the total number of request headers. For instance, "Cloudfront-viewer-header-count: 4". Customers have been using AWS WAF access control rules (ACLs) and building their own access control measures for detecting requests' fingerprints using CloudFront headers, such as the "Cloudfront-viewer-ja3-fingerprint" and "CloudFront-viewer-tls" headers. With the launch of new headers today, customers can further strengthen their access control measures by verifying additional dimensions of request metadata. For instance, browsers with the same HTTP protocol version usually send HTTP headers in a certain order. If the browser type indicated by the user-agent header does not correspond to the order of the request headers, then the request may not be coming from the claimed source. Additionally, if the value of the header count header does not match the number of headers in the header order header, customers can investigate further to verify whether the request is coming from a spoofed source. Customers can add these two headers to their Origin Request Policy. These headers can then be used to construct custom logic on their origin server, or at the edge using CloudFront functions and Lambda@Edge.
“Cloudfront-viewer-header-order” and “Cloudfront-viewer-header-count” headers are immediately available in all CloudFront edge locations. You can enable them in the CloudFront Console or using the AWS SDK, and there are no additional fees for using these headers. For further information, please refer to the CloudFront Developer Guide.