Using the managed response headers policies - Amazon CloudFront

Using the managed response headers policies

With a CloudFront response headers policy, you can specify the HTTP headers that Amazon CloudFront adds to responses that it sends to viewers. For more information about response headers policies and reasons to use them, see Adding HTTP headers to CloudFront responses.

CloudFront provides managed response headers policies that you can attach to cache behaviors in your CloudFront distributions. With a managed response headers policy, you don’t need to write or maintain your own policy. The managed policies contain sets of HTTP response headers for common use cases.

Attaching a managed response headers policy

To use a managed response headers policy, you attach it to a cache behavior in your distribution. The process is the same as when you create a custom response headers policy. However, instead of creating a new policy, you attach one of the managed policies. You attach the policy either by name (with the console) or by ID (with AWS CloudFormation, the AWS CLI, or the AWS SDKs). The names and IDs are listed in the following section.

For more information, see Creating response headers policies.

Available managed response headers policies

The following topics describes the managed response headers policies that you can use.

CORS allow all origins

Use this managed policy to allow simple CORS requests from any origin. With this policy, CloudFront adds the header Access-Control-Allow-Origin: * to all responses for simple CORS requests.

If the response that CloudFront receives from the origin includes the Access-Control-Allow-Origin header, CloudFront uses that header (and its value) in its response to the viewer. CloudFront doesn't use the header in this policy.

Policy name: SimpleCORS

Policy ID: 60669652-455b-4ae9-85a4-c4c02393f86c

Policy settings
Header name Header value Override origin?
CORS headers: Access-Control-Allow-Origin * No

You can also view this policy in the CloudFront console.

CORS allow all origins with preflight

Use this managed policy to allow CORS requests from any origin, including preflight requests. For preflight requests (using the HTTP OPTIONS method), CloudFront adds all three of the following headers to the response. For simple CORS requests, CloudFront adds only the Access-Control-Allow-Origin header.

If the response that CloudFront receives from the origin includes any of these headers, CloudFront uses the received header (and its value) in its response to the viewer. CloudFront doesn't use the header in this policy.

Policy name: CORS-With-Preflight

Policy ID: 5cc3b908-e619-4b99-88e5-2cf7f45965bd

Policy settings
Header name Header value Override origin?
CORS headers: Access-Control-Allow-Methods DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT No
Access-Control-Allow-Origin *
Access-Control-Expose-Headers *

You can also view this policy in the CloudFront console.

Security headers

Use this managed policy to add a set of security headers to all responses that CloudFront sends to viewers. For more information about these security headers, see Mozilla’s web security guidelines.

With this response headers policy, CloudFront adds X-Content-Type-Options: nosniff to all responses. This is the case when the response that CloudFront received from the origin included this header and when it didn't. For all other headers in this policy, if the response that CloudFront receives from the origin includes the header, CloudFront uses the received header (and its value) in its response to the viewer. It doesn't use the header in this policy.

Policy name: SecurityHeadersPolicy

Policy ID: 67f7725c-6f97-4210-82d7-5512b31e9d03

Policy settings
Header name Header value Override origin?
Security headers: Referrer-Policy strict-origin-when-cross-origin No
Strict-Transport-Security max-age=31536000 No
X-Content-Type-Options nosniff Yes
X-Frame-Options SAMEORIGIN No
X-XSS-Protection 1; mode=block No

You can also view this policy in the CloudFront console.

CORS allow all origins and security headers

Use this managed policy to allow simple CORS requests from any origin. This policy also adds a set of security headers to all responses that CloudFront sends to viewers. This policy combines the CORS allow all origins and Security headers policies into one.

Policy name: CORS-and-SecurityHeadersPolicy

Policy ID: e61eb60c-9c35-4d20-a928-2b84e02af89c

Policy settings
Header name Header value Override origin?
CORS headers: Access-Control-Allow-Origin * No
Security headers: Referrer-Policy strict-origin-when-cross-origin No
Strict-Transport-Security max-age=31536000 No
X-Content-Type-Options nosniff Yes
X-Frame-Options SAMEORIGIN No
X-XSS-Protection 1; mode=block No

You can also view this policy in the CloudFront console.

CORS allow all origins with preflight and security headers

Use this managed policy to allow CORS requests from any origin. This includes preflight requests. This policy also adds a set of security headers to all responses that CloudFront sends to viewers. This policy combines the CORS allow all origins with preflight and Security headers policies into one.

Policy name: CORS-with-preflight-and-SecurityHeadersPolicy

Policy ID: eaab4381-ed33-4a86-88ca-d9558dc6cd63

Policy settings
Header name Header value Override origin?
CORS headers: Access-Control-Allow-Methods DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT No
Access-Control-Allow-Origin *
Access-Control-Expose-Headers *
Security headers: Referrer-Policy strict-origin-when-cross-origin No
Strict-Transport-Security max-age=31536000 No
X-Content-Type-Options nosniff Yes
X-Frame-Options SAMEORIGIN No
X-XSS-Protection 1; mode=block No

You can also view this policy in the CloudFront console.