-
Notifications
You must be signed in to change notification settings - Fork 0
AWS CloudFront Response Headers Policy
udx-github edited this page Jul 3, 2026
·
1 revision
Creates an AWS CloudFront Response Headers Policy for attaching reusable response header settings to CloudFront cache behaviors.
- Security response headers:
- Strict-Transport-Security
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- X-XSS-Protection
- Custom response headers, including
Permissions-Policy. - Response header removal.
- Server-Timing headers.
- String or list input for Content-Security-Policy values.
- String or list input for custom header values.
- AWS credentials with permissions to manage CloudFront response headers policies.
- A CloudFront distribution cache behavior that references the generated policy by name through
response_headers_policy_name.
-
configurations.nameis the CloudFront response headers policy name. -
configurations.descriptionmaps to the CloudFront policy comment field. -
security_headers.*.enabledcontrols whether each managed security header is included. -
content_security_policy.policymay be a string or an array of strings. Array values are joined with;. -
custom_headers[*].valuemay be a string or an array of strings. Array values are joined with,. -
remove_headersmay be a list of header name strings or objects withheaderandenabledfields.
services:
- name: "AWS CloudFront Response Headers Policy"
module: "aws-cloudfront-response-headers-policy"
id: "my-response-headers-policy"
configurations:
region: "us-east-1"
name: "my-custom-security-headers"
description: "Security headers for my site"
security_headers:
strict_transport_security:
enabled: true
max_age_sec: 31536000
include_subdomains: true
preload: true
override: true
content_security_policy:
enabled: true
override: false
policy:
- "default-src 'self'"
- "upgrade-insecure-requests"
custom_headers:
- header: "Permissions-Policy"
value: "geolocation=(), microphone=(), camera=()"
override: falseAll fields are under configurations:.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
region |
string | Optional | us-east-1 |
AWS region used by the module. CloudFront is global, but the AWS provider still requires a region. |
name |
string | Required | rabbit-custom-security-headers |
CloudFront response headers policy name. |
description |
string | Optional | empty string | Comment stored on the CloudFront response headers policy. |
remove_headers |
list(string or object) | Optional | [] |
Headers to remove from origin responses. Object form supports header and enabled. |
server_timing.enabled |
boolean | Optional | false |
Enables the CloudFront Server-Timing header config. |
server_timing.sampling_rate |
number | Optional | 0 |
Sampling rate for Server-Timing headers. |
security_headers.strict_transport_security.enabled |
boolean | Optional | true |
Includes the HSTS header config. |
security_headers.strict_transport_security.max_age_sec |
number | Optional | 31536000 |
HSTS max-age in seconds. |
security_headers.strict_transport_security.include_subdomains |
boolean | Optional | true |
Includes the HSTS includeSubDomains directive. |
security_headers.strict_transport_security.preload |
boolean | Optional | true |
Includes the HSTS preload directive. |
security_headers.strict_transport_security.override |
boolean | Optional | true |
Overrides an origin-provided HSTS header. |
security_headers.content_security_policy.enabled |
boolean | Optional | true |
Includes the Content-Security-Policy header config. |
security_headers.content_security_policy.policy |
string or list(string) | Optional | default-src 'self'; |
Content-Security-Policy value. Lists are joined with ; . |
security_headers.content_security_policy.override |
boolean | Optional | true |
Overrides an origin-provided Content-Security-Policy header. |
security_headers.frame_options.enabled |
boolean | Optional | true |
Includes the X-Frame-Options header config. |
security_headers.frame_options.option |
string | Optional | SAMEORIGIN |
X-Frame-Options value. |
security_headers.frame_options.override |
boolean | Optional | true |
Overrides an origin-provided X-Frame-Options header. |
security_headers.content_type_options.enabled |
boolean | Optional | true |
Includes the X-Content-Type-Options header config. |
security_headers.content_type_options.override |
boolean | Optional | true |
Overrides an origin-provided X-Content-Type-Options header. |
security_headers.xss_protection.enabled |
boolean | Optional | true |
Includes the X-XSS-Protection header config. |
security_headers.xss_protection.mode_block |
boolean | Optional | true |
Enables X-XSS-Protection block mode. |
security_headers.xss_protection.report_uri |
string or null | Optional | null |
Optional report URI for X-XSS-Protection. |
security_headers.xss_protection.override |
boolean | Optional | true |
Overrides an origin-provided X-XSS-Protection header. |
security_headers.referrer_policy.enabled |
boolean | Optional | true |
Includes the Referrer-Policy header config. |
security_headers.referrer_policy.policy |
string | Optional | strict-origin-when-cross-origin |
Referrer-Policy value. |
security_headers.referrer_policy.override |
boolean | Optional | true |
Overrides an origin-provided Referrer-Policy header. |
custom_headers |
list(object) | Optional | [] |
Custom response headers to add. |
custom_headers[*].header |
string | Required when custom header is used | none | Header name. |
custom_headers[*].value |
string or list(string) | Required when custom header is used | none | Header value. Lists are joined with , . |
custom_headers[*].override |
boolean | Optional | false |
Overrides an origin-provided header with the same name. |
-
id- CloudFront response headers policy ID. -
name- CloudFront response headers policy name.
- AWS ACM Certificate
- AWS CloudFormation Stack
- AWS CloudFront Distribution
- AWS CloudFront Response Headers Policy
- AWS Route53 DNS
- AWS WAF
- GCP GKE Cluster
- GCP GKE Node Pool
- GCP IAM
- GCP Monitoring
- GCP Networking
- GCP PostgreSQL Instance
- GCP Secret Manager
- GCP SQL Instance
- GCP Static IP
- GCP Storage
- Ghost Inspector Sync
- K8s Access
- K8s ConfigMap
- K8s Deployment
- K8s HPA
- K8s HTTP Gateway Route
- K8s HTTP Health Check Policy
- K8s Memcached
- K8s Namespace
- K8s PDB
- K8s Secret
- K8s Service
- K8s Shared HTTP Gateway
- NewRelic APM Browser
- NewRelic Synthetic Monitors