Adding or removing HTTP headers in CloudFront responses
You can configure CloudFront to modify the HTTP headers in the responses that it sends to viewers. CloudFront can remove headers that it received from the origin, or add headers to the response, before sending the response to viewers. Making these changes doesn't require writing code or changing the origin.
For example, you can remove headers such as X-Powered-By and
Vary so that CloudFront doesn't include these headers in the responses that it sends
to viewers. Or, you can add HTTP headers such as the following:
-
A
Cache-Controlheader to control browser caching. -
An
Access-Control-Allow-Originheader to enable cross-origin resource sharing (CORS). You can also add other CORS headers. -
A set of common security headers, such as
Strict-Transport-Security,Content-Security-Policy, andX-Frame-Options. -
A
Server-Timingheader to see information that's related to the performance and routing of both the request and response through CloudFront.
To specify the headers that CloudFront adds or removes in HTTP responses, you use a response headers policy. You attach a response headers policy to one more cache behaviors, and CloudFront modifies the headers in the responses that it sends to requests that match the cache behavior. CloudFront modifies the headers in the responses that it serves from the cache and the ones that it forwards from the origin. If the origin response includes one or more of the headers that are added in a response headers policy, the policy can specify if CloudFront uses the header it received from the origin or overwrites that header with the one in the response headers policy.
CloudFront provides predefined response headers policies, known as managed policies, for common use cases. You can use these managed policies or create your own policies. You can attach a single response headers policy to multiple cache behaviors in multiple distributions in your Amazon Web Services account.
For more information, see the following topics.