Posted On: Jan 3, 2023

Amazon CloudFront now supports the removal of response headers using response header policies, giving customers a native capability to remove specified headers served from CloudFront. This new capability, along with the existing ability to add and override headers, provides comprehensive flexibility for customers to customize response headers.

Until today, response header policies have allowed customers to specify HTTP headers that Amazon CloudFront adds to responses sent to viewers, including CORS headers, security headers, or custom headers. Now, customers can use response header policies to selectively remove headers sent to viewers, hiding from them the headers that are needed for application logic or CDN-specific caching policies but don't need to be shared. For example, a customer may have a blog application that sends a "x-powered-by" header, which, if revealed, could be targeted by attackers for specific known vulnerabilities of the technology. To protect against this, the customer can use a response header policy to prevent it from being sent to viewers. Additionally, an origin may generate a "Vary" header to indicate headers that have influenced the origin response, but this information may not be needed for viewers and can be removed using a response header policy.

Removing headers using response header policies is now available through the CloudFront Console, AWS SDKs, and the AWS CLI. There are no additional fees associated with this feature. Please note that some HTTP headers are read-only or otherwise inaccessible and hence cannot be removed. For more information on which headers cannot be removed, see Restrictions on Edge Functions. To get started with CloudFront, please visit the CloudFront product page.