How to whitelist Authorization header in CloudFront custom Origin Request Policy

amazon-cloudfrontamazon-web-servicesauthorizationcachehttp-headers

I have created the following CloudFront Origin Request Policy:

I need Authorization header (without Authorization header the AntiForgeryToken header is not forwarded) but I do not understand why CloudFront does not allow adding Authorization header to the policy?

I get the following error:

400 The parameter Headers contains Authorization that is not allowed.

I have followed this document and added Authorization header to Cache Policy, but still don't get the AntiForgeryToken in my requests…

If I use the legacy cache policy (instead of creating my own custom policy) then I am able to Whitelist Authorization header but don't know why I am not able to do it in my own custom policy?

Best Answer

It is possible to use the Origin Request Policy to forward all headers (use the Managed-AllViewer) which includes Authorization. As stated above, this does cause a conflict with API Gateway because the HOST header doesn't match the request (request is coming from CloudFront, HOST is from the user) and so API Gateway will return a 403. In order to deal with that, you can deploy a Lambda@Edge function to rewrite the HOST header to match CloudFront. API Gateway will then accept the request.

To do that, create a Lambda function in US-EAST-1 (must be here for replication purposes, add edgelambda.amazonaws.com to the trusted entities on the Lambda's role, and then add a CloudFront trigger to the Lambda function for origin-requests and specify the distribution you want to use it.

Here's a sample Lambda@Edge function in Node.JS to perform that task:

'use strict';

exports.handler = (event, context, callback) => {
  const request = event.Records[0].cf.request;

  /* Set host header to API GW domain*/
  request.headers['host'] = [{ key: 'host', value: request.origin.custom.domainName }];
  console.log('successfully executed Lambda at Edge')
  callback(null, request);
};

Related Solutions

CloudFront with Custom Origin and ELB

It's possible that CloudFront doesn't handle multiple headers with the same name correctly and isn't seeing your max-age directive. According to this CloudFront does use the Expires header if present, so try getting your origin server to set that instead (preferably relative to the request time). For Apache I think you want something like this with mod_expires:

ExpiresDefault "access plus 1 hour"

Ssl – Strict-Transport-Security on CloudFront with S3 origin

You can now add HTTP response headers natively in CloudFront (including HSTS), without modifying your origin or writing a function. Create a new response headers policy with your configuration, then attach the policy to one or more cache behaviors.

Documentation is available here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html

Best Answer

Related Solutions

CloudFront with Custom Origin and ELB

Ssl – Strict-Transport-Security on CloudFront with S3 origin

Related Topic