Use managed response headers policies
With a CloudFront response headers policy, you can specify the HTTP headers that Amazon CloudFront removes or adds in responses that it sends to viewers. For more information about response headers policies and reasons to use them, see Add or remove HTTP headers in CloudFront responses with a policy.
CloudFront provides managed response headers policies that you can attach to cache behaviors in your CloudFront distributions. With a managed response headers policy, you don't need to write or maintain your own policy. The managed policies contain sets of HTTP response headers for common use cases.
To use a managed response headers policy, you attach it to a cache behavior in your distribution. The process is the same as when you create a custom response headers policy. However, instead of creating a new policy, you attach one of the managed policies. You attach the policy either by name (with the console) or by ID (with AWS CloudFormation, the AWS CLI, or the AWS SDKs). The names and IDs are listed in the following section.
For more information, see Create response headers policies.
The following topics describe the managed response headers policies that you can use.
Topics
CORS-and-SecurityHeadersPolicy
View this policy in the CloudFront console
Use this managed policy to allow simple CORS requests from any origin. This policy also adds a set of security headers to all responses that CloudFront sends to viewers. This policy combines the SimpleCORS and SecurityHeadersPolicy policies into one.
When using AWS CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:
e61eb60c-9c35-4d20-a928-2b84e02af89c
Policy settings | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header name | Header value | Override origin? | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CORS headers: | Access-Control-Allow-Origin |
* |
No | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Security headers: | Referrer-Policy |
strict-origin-when-cross-origin |
No | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Strict-Transport-Security |
max-age=31536000 |
No | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-Content-Type-Options |
nosniff |
Yes | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-Frame-Options |
SAMEORIGIN |
No | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-XSS-Protection |
1; mode=block |
No |
CORS-With-Preflight
View this policy in the CloudFront console
Use this managed policy to allow CORS requests from any origin, including
preflight requests. For preflight requests (using the HTTP OPTIONS
method), CloudFront adds all three of the following headers to the response. For simple
CORS requests, CloudFront adds only the Access-Control-Allow-Origin
header.
If the response that CloudFront receives from the origin includes any of these headers, CloudFront uses the received header (and its value) in its response to the viewer. CloudFront doesn't use the header in this policy.
When using AWS CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:
5cc3b908-e619-4b99-88e5-2cf7f45965bd
Policy settings | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header name | Header value | Override origin? | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CORS headers: | Access-Control-Allow-Methods |
DELETE , GET , HEAD ,
OPTIONS , PATCH , POST ,
PUT |
No | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Access-Control-Allow-Origin |
* |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Access-Control-Expose-Headers |
* |
CORS-with-preflight-and-SecurityHeadersPolicy
View this policy in the CloudFront console
Use this managed policy to allow CORS requests from any origin. This includes preflight requests. This policy also adds a set of security headers to all responses that CloudFront sends to viewers. This policy combines the CORS-With-Preflight and SecurityHeadersPolicy policies into one.
When using AWS CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:
eaab4381-ed33-4a86-88ca-d9558dc6cd63
Policy settings | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header name | Header value | Override origin? | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CORS headers: | Access-Control-Allow-Methods |
DELETE , GET , HEAD ,
OPTIONS , PATCH , POST ,
PUT |
No | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Access-Control-Allow-Origin |
* |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Access-Control-Expose-Headers |
* |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Security headers: | Referrer-Policy |
strict-origin-when-cross-origin |
No | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Strict-Transport-Security |
max-age=31536000 |
No | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-Content-Type-Options |
nosniff |
Yes | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-Frame-Options |
SAMEORIGIN |
No | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-XSS-Protection |
1; mode=block |
No |
SecurityHeadersPolicy
View this policy in the CloudFront console
Use this managed policy to add a set of security headers to all responses that
CloudFront sends to viewers. For more information about these security headers, see Mozilla's web security
guidelines
With this response headers policy, CloudFront adds X-Content-Type-Options:
nosniff
to all responses. This is the case when the response that CloudFront
received from the origin included this header and when it didn't. For all other
headers in this policy, if the response that CloudFront receives from the origin includes
the header, CloudFront uses the received header (and its value) in its response to the
viewer. It doesn't use the header in this policy.
When using AWS CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:
67f7725c-6f97-4210-82d7-5512b31e9d03
Policy settings | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header name | Header value | Override origin? | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Security headers: | Referrer-Policy |
strict-origin-when-cross-origin |
No | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Strict-Transport-Security |
max-age=31536000 |
No | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-Content-Type-Options |
nosniff |
Yes | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-Frame-Options |
SAMEORIGIN |
No | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
X-XSS-Protection |
1; mode=block |
No |
SimpleCORS
View this policy in the CloudFront console
Use this managed policy to allow simple
CORS requestsAccess-Control-Allow-Origin: *
to all responses for simple CORS
requests.
If the response that CloudFront receives from the origin includes the
Access-Control-Allow-Origin
header, CloudFront uses that header (and its
value) in its response to the viewer. CloudFront doesn't use the header in this
policy.
When using AWS CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:
60669652-455b-4ae9-85a4-c4c02393f86c
Policy settings | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header name | Header value | Override origin? | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CORS headers: | Access-Control-Allow-Origin |
* |
No |