Menu
Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Header Restrictions

Lambda@Edge has some header restrictions that you should be aware of, such as blacklisted headers and read-only headers.

Blacklisted Headers

Certain headers are not exposed and cannot be added by Lambda@Edge functions. Adding a blacklisted header fails CloudFront validation, and results in an HTTP 502 error for the user.

These headers include the following:

  • Headers that begin with X-Amz-* (except X-Amz-Meta-*)

  • Headers that begin with X-Amzn-*

  • Headers that begin with X-Edge-*

  • X-Cache

  • X-Accel-Redirect

  • X-Accel-Limit-Rate

  • X-Accel-Buffering

  • X-Accel-Charset

  • Proxy-Authenticate

  • Proxy-Authorization

  • Proxy-Connection

  • Trailer

  • X-Real-IP

  • X-Forwarded-Proto

  • CloudFront-Forwarded-Proto

  • CloudFront-Is-Mobile-Viewer

  • CloudFront-Is-Desktop-Viewer

  • CloudFront-Is-Tablet-Viewer

  • CloudFront-Viewer-Country

  • Expect

Read-only Headers

Read-only headers can be read but not edited. You can use them as input to CloudFront caching logic, and they can be read by your Lambda function, but you cannot change the values. Adding or editing a read-only header fails CloudFront validation, and results in an HTTP 502 error for the user.

Read-only Headers for CloudFront Viewer Request Events

  • Content-Length

  • Host

  • Via

  • Transfer-Encoding

  • Upgrade

  • Warning

  • Connection

  • Retry-After

  • Accept-Encoding

Read-only Headers for CloudFront Origin Request Events

  • Content-Length

  • Via

  • Range

  • If-Modified-Since

  • If-UnModified-Since

  • If-None-Match

  • If-Range

  • Transfer-Encoding

  • Upgrade

  • Warning

  • Connection

  • Retry-After

  • Accept-Encoding

  • Header Restrictions

Read-only Headers for CloudFront Origin Response Events

  • Content-Length

  • Via

  • Transfer-Encoding

  • Upgrade

  • Warning

  • Connection

  • Retry-After

  • Content-Encoding

Read-only Headers for CloudFront Viewer Response Events

  • Content-Length

  • Via

  • Transfer-Encoding

  • Upgrade

  • Warning

  • Connection

  • Retry-After

  • Content-Encoding

Restricted Headers

You can add or edit restricted headers in CloudFront origin request events only if the CloudFront distribution is configured to forward these headers to your origin. Adding or changing a restricted header when the CloudFront distribution is not configured to forward them fails CloudFront validation, and results in an HTTP 502 error for the user.

Restricted Headers:

  • Accept

  • Accept-Charset

  • Accept-Language

  • Authorization

  • Referer

  • TE