How can I configure CloudFront to forward the Authorization header to the origin?

2 minute read
0

The origin of my Amazon CloudFront distribution requires that requests include the Authorization header. Because of this, my distribution must forward the Authorization header to the origin.

Short description

Configure your distribution to forward the Authorization header to the origin in one of these ways:

  • Create a cache policy. Then, associate the cache policy with the cache behavior that must forward the Authorization header.
    Note: You can't use an origin request policy to forward the Authorization header. The header must be a part of the cache key to prevent the cache from satisfying unauthorized requests. CloudFront returns an HTTP 400 error if you create an origin request policy that forwards the Authorization header.
  • Edit an existing cache behavior with legacy cache settings.

Important: For Amazon Simple Storage Service (Amazon S3) origins, caching based on the Authorization header isn't supported. For more information, see Selecting the headers to base caching on.

Resolution

Create a cache policy

  1. Follow the steps to create a cache policy using the CloudFront console.
  2. Under Cache key settings, for Headers, choose Include the following headers. Then, under Add Headers, select Authorization.
  3. Complete all other settings of the cache policy based on the requirements of the behavior that you're attaching the policy to. Then, choose Create.
  4. After you create the cache policy, follow the steps to attach the policies to the relevant behavior of your CloudFront distribution.

Edit an existing cache behavior with legacy cache settings

  1. Open the CloudFront console, and then choose your distribution.
  2. Choose the Behaviors tab, and then select the path that you want to forward the Authorization header to.
  3. Choose Edit.
  4. Under Headers, choose Include the following headers. Then, under Add Headers, select Authorization.
  5. Choose Save changes.

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
2 Comments

Please note that when you want to do this while at the same time disabling caching, you need to set the maxTtl > 0, otherwise policy validation will fail.

Besides, the design decision to have the "Authorization" header set in the cache policy, while NOT having it in the origin request policy is counter intuitive and hides the fact that this header is actually sent to the origin, since it's not present in the origin request policy. I would propose to require having it in both places instead.

Jay Kay
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago