[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

0

What is the scenario where you wouldn't want to use the ALL_VIEWER managed origin request policy? Are there any security implications to using that for all distributions (S3 origins and ALB origins)?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

已提问 2 年前612 查看次数
1 回答
0
已接受的回答

The ALL_VIEWER origin request policy will forward all headers, cookies and query strings to requests that reach the origin but caching will not defined based on the headers, cookies and query strings being forwarded. In terms of best practices, you should only forward the exact headers, cookies or query strings which your application needs

支持工程师
Davin_G
已回答 2 年前
  • I don't think you really answered the question here; Like why is this is best practise? Does it have any security implications for example? Perhaps based on those best practises?

  • For example my assumption would be that it in general makes sense to include all headers because;

    • As you pointed out, cloudfront doesn't use all of them for caching, so no adverse effects there
    • The origin will mostly likely only parse the headers it needs to function
    • Lastly, in terms of logging request from your server to debug failed request or even detect malicious requests, it would be more helpfull to have more headers as you have more information from the request made.

    I am probably wrong as you pointed out it's better to only select the ones needed, so I would live to know why!

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则