- Newest
- Most votes
- Most comments
@peter-testfit Yes, I agree: the 403 is specifically coming from WAF, not from CloudFront or any other resource behind WAF. The default 403 response from WAF doesn't include the CORS headers your application clients expect, and I'm suspecting that they're flagging the absence of CORS headers as an error.
That's why I'm suggesting that you customise the 403 response coming from WAF to include the proper CORS headers. The console in developer tools in Chrome or other Chromium-based browsers probably says which origins or other parameters would be needed.
You should be able to configure custom headers for the errors that WAF returns. From your question, I'm not sure if your CORS headers are coming from your backend application (which isn't reached when WAF blocks the request) or a response headers policy in CloudFront, but customising the response from WAF to include the proper CORS header should work in both cases according to this documentation article: https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-for-blocked-requests.html
Considering this is a blocking rule that is creating the CORS response the CORS error is not coming from Cloudfront or the ALB/ECS. We don't have any custom response configured, so according to the documentation you pointed me to we should get a
403 forbidden.
Relevant content
- AWS OFFICIALUpdated 19 days ago
Ah, okay. I misunderstood your first post then. I will test that and get back to this thread.
I tried custom responses and they work fine for rules that I defined. But It doesn't work for AWS managed rules/list unless I missed something. There are options to override the response of an AWS managed rule, but that only changes the outcome (block, allow, etc.) and not the HTTP response/header. Any other ideas?
I'm not sure if there might be a cleaner way, but I think that a universal workaround likely to work would be to override the action for the AWS-managed rule group to "count", so that it only sets a label to indicate what got hit. All AWS-managed rules add labels, and they're included in documentation. They also have a hierarchical namespace structure for easy matching. In lower-priority rules, you can match the label and apply your custom response action the same way as for any custom rule.
I have the same issue. I don't understand your proposed workaround because if I create my rule with a custom response and add a header the header name will be prefixed with "x-amzn-waf-" as stated in the console : "With the Captcha action, you can add custom headers to the web request. AWS WAF prefixes your custom header names with x-amzn-waf- when it inserts them. Therefore I cannot change the CORS headers. What am I missing ?