gene1wood/How-to-pass-all-headers-in-CloudFront-using-CloudFormation.md

## How-to-pass-all-headers-in-CloudFront-using-CloudFormation.md

      
    Raw
  

              How-to-pass-all-headers-in-CloudFront-using-CloudFormation.md
            
          
    How to configure CloudFront using CloudFormation to pass all headers

How can you configure a CloudFront distribution to pass all headers to the origin if the CloudFront distribution is deployed using CloudFormation? If you deploy the distribution in the AWS Web Console, you can select between None, Whitelist and All. In CloudFront it appears that you can only assert a whitelist of allowed headers. This is done in this area of a CloudFormation resource describing a CloudFront distribution
Resources:
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          ForwardedValues:
            Headers:

Using *

Using a Headers element of * like this
            Headers:
              - '*'

as used in this AWS hosted example
results in a 403 response from CloudFront, {"message":"Forbidden"}
Here it is in context
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - !Ref CustomDomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          Compress: true
          DefaultTTL: 0
          ForwardedValues:
            Cookies:
              Forward: all
            QueryString: true
            Headers:
              - '*'
          TargetOriginId: CloudFrontOriginId
          ViewerProtocolPolicy: redirect-to-https
        # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-defaultrootobject
        DefaultRootObject: ''  # "If you don't want to specify a default root object when you create a distribution, include an empty DefaultRootObject element."
        Enabled: true
        IPV6Enabled: true
        Origins:
          - CustomOriginConfig:
              OriginProtocolPolicy: https-only
            DomainName: !Join [ '.', [ !Ref 'AwsFederatedRpApi', 'execute-api', !Ref 'AWS::Region', 'amazonaws.com' ] ]
            Id: CloudFrontOriginId
            OriginPath: !Join [ '', [ '/', !Ref 'AwsFederatedRpApiStage' ] ]
        PriceClass: PriceClass_100  # US, Canada, Europe, Israel
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.2_2018
          SslSupportMethod: sni-only

Using Items *

Using an "Headers": { "Items": [ "*" ] } solution as answered in this StackOverflow answer (and copied into this answer) like this
            Headers:
              Items:
                - '*'

results in this error before the stack even begins to deploy
Property validation failure: [Value of property {/DistributionConfig/DefaultCacheBehavior/ForwardedValues/Headers} does not match type {Array}]
Leaving out Headers

If you don't provide a Headers key then CloudFront removes all of the headers indicated as such in this table
Enumerating specific headers

Just Referer

            Headers:
              - Referer

This sends Referer and other headers on, but not all.
Referer and Host

            Headers:
              - Referer
              - Host

results in a 403 response from CloudFront, {"message":"Forbidden"}
This StackOverflow answer says that you can't pass the Host header because API Gateway needs the API Gateway host header because it uses SNI