[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

What is the scenario where you wouldn't want to use the ALL_VIEWER managed origin request policy? Are there any security implications to using that for all distributions (S3 origins and ALB origins)?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

주제

네트워킹 및 콘텐츠 전송 AWS Well-Architected 프레임워크

태그

아마존 CloudFront 보안

언어

English

NickHolden

질문됨 2년 전637회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

수락된 답변

The ALL_VIEWER origin request policy will forward all headers, cookies and query strings to requests that reach the origin but caching will not defined based on the headers, cookies and query strings being forwarded. In terms of best practices, you should only forward the exact headers, cookies or query strings which your application needs

지원 엔지니어

Davin_G

답변함 2년 전

vasco
일 년 전
I don't think you really answered the question here; Like why is this is best practise? Does it have any security implications for example? Perhaps based on those best practises?
vasco
일 년 전
For example my assumption would be that it in general makes sense to include all headers because;

As you pointed out, cloudfront doesn't use all of them for caching, so no adverse effects there

The origin will mostly likely only parse the headers it needs to function

Lastly, in terms of logging request from your server to debug failed request or even detect malicious requests, it would be more helpfull to have more headers as you have more information from the request made.

I am probably wrong as you pointed out it's better to only select the ones needed, so I would live to know why!

[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

관련 콘텐츠