Understand how origin request policies and cache policies work together
You can use a CloudFront origin request policy to control the requests that CloudFront sends to the origin, which are called origin requests. To use an origin request policy, you must attach a cache policy to the same cache behavior. You cannot use an origin request policy in a cache behavior without a cache policy. For more information, see Control origin requests with a policy.
Origin request policies and cache policies work together to determine the values that CloudFront includes in origin requests. All URL query strings, HTTP headers, and cookies that you specify in the cache key (using a cache policy) are automatically included in origin requests. Any additional query strings, headers, and cookies that you specify in an origin request policy are also included in origin requests (but not in the cache key).
Origin request policies and cache policies have settings that might appear to conflict with each other. For example, one policy might allow certain values while another policy blocks them. The following table explains which values CloudFront includes in origin requests when you use the settings of an origin request policy and a cache policy together. These settings generally apply to all types of values (query strings, headers, and cookies), with the exception that you cannot specify all headers or use a header block list in a cache policy.
|
Origin request policy |
||||
|---|---|---|---|---|
|
None |
All |
Allow list |
Block list |
|
|
Cache policy |
||||
|
None |
No values from the viewer request are included in the origin request, except for the defaults that are included in every origin request. For more information, see Control origin requests with a policy. |
All values from the viewer request are included in the origin request. |
Only the values specified in the origin request policy are included in the origin request. |
All values from the viewer request except those specified in the origin request policy are included in the origin request. |
|
All Note: You cannot specify all headers in a cache policy. |
All query strings and cookies from the viewer request are included in the origin request. |
All values from the viewer request are included in the origin request. |
All query strings and cookies from the viewer request, and any headers specified in the origin request policy, are included in the origin request. |
All query strings and cookies from the viewer request are included in the origin request, even those specified in the origin request policy block list. The cache policy setting overrides the origin request policy block list. |
|
Allow list |
Only the specified values from the viewer request are included in the origin request. |
All values from the viewer request are included in the origin request. |
All values specified in the cache policy or the origin request policy are included in the origin request. |
The values specified in the cache policy are included in the origin request, even if those same values are specified in the origin request policy block list. The cache policy allow list overrides the origin request policy block list. |
|
Block list Note: You cannot specify headers in a cache policy block list. |
All query strings and cookies from the viewer request except those specified are included in the origin request. |
All values from the viewer request are included in the origin request. |
The values specified in the origin request policy are included in the origin request, even if those same values are specified in the cache policy block list. The origin request policy allow list overrides the cache policy block list. |
All values from the viewer request except those specified in the cache policy or the origin request policy are included in the origin request. |