Menu
Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Header Restrictions

Note the following restrictions on using headers with Lambda@Edge.

Blacklisted Headers

Blacklisted headers aren't exposed and can't be added by Lambda@Edge functions. If your Lambda function adds a blacklisted header, the request fails CloudFront validation. CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

  • CloudFront-Forwarded-Proto

  • CloudFront-Is-Desktop-Viewer

  • CloudFront-Is-Mobile-Viewer

  • CloudFront-Is-SmartTV-Viewer

  • CloudFront-Is-Tablet-Viewer

  • CloudFront-Viewer-Country

  • Connection

  • Expect

  • Keep-alive

  • Proxy-Authenticate

  • Proxy-Authorization

  • Proxy-Connection

  • Trailer

  • Upgrade

  • X-Accel-Buffering

  • X-Accel-Charset

  • X-Accel-Limit-Rate

  • X-Accel-Redirect

  • X-Amz-Cf-*

  • X-Amzn-*

  • X-Cache

  • X-Edge-*

  • X-Forwarded-Proto

  • X-Real-IP

Read-only Headers

Read-only headers can be read but not edited. You can use them as input to CloudFront caching logic, and your Lambda function can read the header values, but it can't change the values. If your Lambda function adds or edits a read-only header, the request fails CloudFront validation. CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

Read-only Headers for CloudFront Viewer Request Events

  • Accept-Encoding

  • Content-Length

  • Host

  • Retry-After

  • Transfer-Encoding

  • Via

  • Warning

Read-only Headers for CloudFront Origin Request Events

  • Accept-Encoding

  • Content-Length

  • If-Modified-Since

  • If-None-Match

  • If-Range

  • If-Unmodified-Since

  • Range

  • Retry-After

  • Transfer-Encoding

  • Via

  • Warning

Read-only Headers for CloudFront Origin Response Events

  • Content-Encoding

  • Content-Length

  • Retry-After

  • Transfer-Encoding

  • Via

  • Warning

Read-only Headers for CloudFront Viewer Response Events

  • Content-Encoding

  • Content-Length

  • Retry-After

  • Transfer-Encoding

  • Warning

  • Via

Restricted Headers for CloudFront Origin Request Events

You can add or edit restricted headers in CloudFront origin request events only if the CloudFront distribution is configured to forward these headers to your origin. Adding or changing a restricted header when the CloudFront distribution is not configured to forward the header to the origin fails CloudFront validation. CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

  • Accept

  • Accept-Charset

  • Accept-Language

  • Authorization

  • Referer

  • TE