Restrictions on all edge functions - Amazon CloudFront
Amazon Web Services account ownershipCombining CloudFront Functions with Lambda@EdgeHTTP status codesHTTP headersQuery stringsURIURI and query string encodingMicrosoft Smooth StreamingTagging
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Restrictions on all edge functions

The following restrictions apply to all edge functions, both CloudFront Functions and Lambda@Edge.

Amazon Web Services account ownership

To associate an edge function with a CloudFront distribution, the function and distribution must be owned by the same Amazon Web Services account.

Combining CloudFront Functions with Lambda@Edge

For a given cache behavior, the following restrictions apply:

  • Each event type (viewer request, origin request, origin response, and viewer response) can have only one edge function association.

  • You cannot combine CloudFront Functions and Lambda@Edge in viewer events (viewer request and viewer response).

All other combinations of edge functions are allowed. The following table explains the allowed combinations.

CloudFront Functions

Viewer request

Viewer response

Lambda@Edge

Viewer request

Not allowed

Not allowed

Origin request

Allowed

Allowed

Origin response

Allowed

Allowed

Viewer response

Not allowed

Not allowed

HTTP status codes

CloudFront does not invoke edge functions for viewer response events when the origin returns HTTP status code 400 or higher.

Lambda@Edge functions for origin response events are invoked for all origin responses, including when the origin returns HTTP status code 400 or higher. For more information, see Updating HTTP responses in origin response triggers.

HTTP headers

Certain HTTP headers are disallowed, which means they're not exposed to edge functions and functions can't add them. Other headers are read-only, which means functions can read them but can't add or modify them.

Disallowed headers

The following HTTP headers are not exposed to edge functions, and functions can't add them. If your function adds one of these headers, it fails CloudFront validation and CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

  • Connection

  • Expect

  • Keep-Alive

  • Proxy-Authenticate

  • Proxy-Authorization

  • Proxy-Connection

  • Trailer

  • Upgrade

  • X-Accel-Buffering

  • X-Accel-Charset

  • X-Accel-Limit-Rate

  • X-Accel-Redirect

  • X-Amz-Cf-*

  • X-Amzn-Auth

  • X-Amzn-Cf-Billing

  • X-Amzn-Cf-Id

  • X-Amzn-Cf-Xff

  • X-Amzn-Errortype

  • X-Amzn-Fle-Profile

  • X-Amzn-Header-Count

  • X-Amzn-Header-Order

  • X-Amzn-Lambda-Integration-Tag

  • X-Amzn-RequestId

  • X-Cache

  • X-Edge-*

  • X-Forwarded-Proto

  • X-Real-IP

Read-only headers

The following headers are read-only. Your function can read them and use them as input to the function logic, but it can't change the values. If your function adds or edits a read-only header, the request fails CloudFront validation and CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

Read-only headers in viewer request events

The following headers are read-only in viewer request events.

  • Content-Length

  • Host

  • Transfer-Encoding

  • Via

Read-only headers in origin request events (Lambda@Edge only)

The following headers are read-only in origin request events, which exist only in Lambda@Edge.

  • Accept-Encoding

  • Content-Length

  • If-Modified-Since

  • If-None-Match

  • If-Range

  • If-Unmodified-Since

  • Transfer-Encoding

  • Via

Read-only headers in origin response events (Lambda@Edge only)

The following headers are read-only in origin response events, which exist only in Lambda@Edge.

  • Transfer-Encoding

  • Via

Read-only headers in viewer response events

The following headers are read-only in viewer response events for both CloudFront Functions and Lambda@Edge.

  • Warning

  • Via

The following headers are read-only in viewer response events for Lambda@Edge.

  • Content-Length

  • Content-Encoding

  • Transfer-Encoding

Query strings

The following restrictions apply to functions that read, update, or create a query string in a request URI.

  • (Lambda@Edge only) To access the query string in an origin request or origin response function, your cache policy or origin request policy must be set to All for Query strings.

  • A function can create or update a query string for viewer request and origin request events (origin request events exist only in Lambda@Edge).

  • A function can read a query string, but cannot create or update one, for origin response and viewer response events (origin response events exist only in Lambda@Edge).

  • If a function creates or updates a query string, the following restrictions apply:

    • The query string can't include spaces, control characters, or the fragment identifier (#).

    • The total size of the URI, including the query string, must be less than 8,192 characters.

    • We recommend that you use percent encoding for the URI and query string. For more information, see URI and query string encoding.

URI

If a function changes the URI for a request, that doesn't change the cache behavior for the request or the origin that the request is forwarded to.

The total size of the URI, including the query string, must be less than 8,192 characters.

URI and query string encoding

URI and query string values passed to edge functions are UTF-8 encoded. Your function should use UTF-8 encoding for the URI and query string values that it returns. Percent encoding is compatible with UTF-8 encoding.

The following list explains how CloudFront handles URI and query string value encoding:

  • When values in the request are UTF-8 encoded, CloudFront forwards the values to your function without changing them.

  • When values in the request are ISO-8859-1 encoded, CloudFront converts the values to UTF-8 encoding before forwarding them to your function.

  • When values in the request are encoded using some other character encoding, CloudFront assumes that they're ISO-8859-1 encoded and tries to convert from ISO-8859-1 to UTF-8.

    Important

    The converted characters might be an inaccurate interpretation of the values in the original request. This might cause your function or your origin to produce an unintended result.

The URI and query string values that CloudFront forwards to your origin depend on whether a function changes the values:

  • If a function does not change the URI or query string, CloudFront forwards the values that it received in the request to your origin.

  • If a function changes the URI or query string, CloudFront forwards the UTF-8 encoded values.

Microsoft Smooth Streaming

You cannot use edge functions with a CloudFront distribution that you're using for streaming media files that you've transcoded into the Microsoft Smooth Streaming format.

Tagging

You cannot add tags to edge functions. To learn more about tagging in CloudFront, see Tagging Amazon CloudFront distributions.