Adding HTTP headers to CloudFront responses - Amazon CloudFront
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Adding HTTP headers to CloudFront responses

You can configure CloudFront to add one or more HTTP headers to the responses that it sends to viewers. Making these changes doesn't require writing code or changing the origin. Some of the HTTP headers that you can add include the following:

  • A Cache-Control header to control browser caching.

  • An Access-Control-Allow-Origin header to enable cross-origin resource sharing (CORS). You can also add other CORS headers.

  • A set of common security headers, such as Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options.

  • A Server-Timing header to see information that's related to the performance and routing of both the request and response through CloudFront.

To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers to the responses that CloudFront serves from the cache and the ones that CloudFront forwards from the origin. If the origin response includes one or more of the headers that are in a response headers policy, the policy can specify if CloudFront uses the header it received from the origin or overwrites that header with the one in the response headers policy.

CloudFront provides predefined response headers policies, known as managed policies, for common use cases. You can use these managed policies or create your own policies. You can attach a single response headers policy to multiple cache behaviors in multiple distributions in your Amazon Web Services account.

For more information, see the following topics.