
Application Security - Origin cloaking
Origin Cloaking stops malicious actors from by-passing CloudFront and its security controls to attack the origin directly.

- ALB based origin. You can validate the secret header on an ALB based origin using an ALB rule or using an AWS WAF rule if your ALB is already associated with an AWS WAF WebACL.
- API Gateway based origin. You can validate the secret header on an API Gateway using API keys.
- NGINX based origin. Assuming that CloudFront sends a custom header X-CloudFront with value abc123, you can validate the secret header on Nginx based web server (Cloud based or On-premises based) by adding the following code in the server tag of the /etc/nginx/nginx.conf Nginx configuration file:
- Apache based origin. Assuming that CloudFront sends a custom header X-CloudFront with value abc123, you can validate the secret header on Apache based web server (Cloud based or On-premises based) by adding the following code in httpd.conf configuration file (and ssl.conf file if used):
- In all cases, it's recommended to rotate this shared secret on a regular basis to reduce the risk of leaked secrets. In the sample implementations shared above, both the one with API Gateway and with ALB include an automation for secret rotation.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.