[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

What is the scenario where you wouldn't want to use the ALL_VIEWER managed origin request policy? Are there any security implications to using that for all distributions (S3 origins and ALB origins)?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

主題

網路與內容交付 AWS Well-Architected Framework

標籤

Amazon CloudFront 安全性

語言

English

NickHolden

已提問 2 年前檢視次數 641 次

1 個回答

最新
最多得票
最多評論

這些答案是否有幫助？支持正確答案，以幫助社區從您的知識中受益。

已接受的答案

The ALL_VIEWER origin request policy will forward all headers, cookies and query strings to requests that reach the origin but caching will not defined based on the headers, cookies and query strings being forwarded. In terms of best practices, you should only forward the exact headers, cookies or query strings which your application needs

支援工程師

Davin_G

已回答 2 年前

vasco
1 年前
I don't think you really answered the question here; Like why is this is best practise? Does it have any security implications for example? Perhaps based on those best practises?
vasco
1 年前
For example my assumption would be that it in general makes sense to include all headers because;

As you pointed out, cloudfront doesn't use all of them for caching, so no adverse effects there

The origin will mostly likely only parse the headers it needs to function

Lastly, in terms of logging request from your server to debug failed request or even detect malicious requests, it would be more helpfull to have more headers as you have more information from the request made.

I am probably wrong as you pointed out it's better to only select the ones needed, so I would live to know why!

[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

相關內容