CloudFront proxy behaviour with AWS CDK

PlausibleCloudFrontCDK.ts

const plausibleIo = new HttpOrigin('plausible.io', {
    protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY
});

const distribution = new Distribution(this, "WebsiteDistribution", {
    certificate,
    defaultRootObject: "index.html",

    errorResponses: [
        {
            httpStatus: 404,
            responseHttpStatus: 404,
            responsePagePath: "/404.html"
        }
    ],
    domainNames: [props.domainName],
    minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
    defaultBehavior: {
        origin: new S3Origin(websiteBucket, {
            originAccessIdentity: cloudfrontOAI,
            customHeaders: {
                Referer: cloudfrontOAI.originAccessIdentityId
            }
        }),
        compress: true,
        allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS
    },
    additionalBehaviors: {
        '/js/script.*': {
            origin: plausibleIo,
            viewerProtocolPolicy: ViewerProtocolPolicy.HTTPS_ONLY,
            allowedMethods: AllowedMethods.ALLOW_GET_HEAD
        },
        '/api/event': {
            origin: plausibleIo,
            viewerProtocolPolicy: ViewerProtocolPolicy.HTTPS_ONLY,
            allowedMethods: AllowedMethods.ALLOW_ALL,
            originRequestPolicy: OriginRequestPolicy.USER_AGENT_REFERER_HEADERS
        }
    }
});