[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

What is the scenario where you wouldn't want to use the ALL_VIEWER managed origin request policy? Are there any security implications to using that for all distributions (S3 origins and ALB origins)?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

トピック

ネットワークとコンテンツ配信 AWS Well-Architected Framework

タグ

Amazon CloudFront セキュリティ

言語

English

NickHolden

質問済み 2年前637ビュー

1回答

新しい順
投票が多い順
コメントが多い順

これらの回答は役に立ちましたか？コミュニティがあなたの知識を活用できるように、正解に賛成票を投じてください。

承認された回答

The ALL_VIEWER origin request policy will forward all headers, cookies and query strings to requests that reach the origin but caching will not defined based on the headers, cookies and query strings being forwarded. In terms of best practices, you should only forward the exact headers, cookies or query strings which your application needs

サポートエンジニア

Davin_G

回答済み 2年前

vasco
1年前
I don't think you really answered the question here; Like why is this is best practise? Does it have any security implications for example? Perhaps based on those best practises?
vasco
1年前
For example my assumption would be that it in general makes sense to include all headers because;

As you pointed out, cloudfront doesn't use all of them for caching, so no adverse effects there

The origin will mostly likely only parse the headers it needs to function

Lastly, in terms of logging request from your server to debug failed request or even detect malicious requests, it would be more helpfull to have more headers as you have more information from the request made.

I am probably wrong as you pointed out it's better to only select the ones needed, so I would live to know why!

[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

関連するコンテンツ