Skip to content

AWS CloudFront Response Headers Policy

udx-github edited this page Jul 3, 2026 · 1 revision

Creates an AWS CloudFront Response Headers Policy for attaching reusable response header settings to CloudFront cache behaviors.

Supported Features

  • Security response headers:
    • Strict-Transport-Security
    • Content-Security-Policy
    • X-Frame-Options
    • X-Content-Type-Options
    • Referrer-Policy
    • X-XSS-Protection
  • Custom response headers, including Permissions-Policy.
  • Response header removal.
  • Server-Timing headers.
  • String or list input for Content-Security-Policy values.
  • String or list input for custom header values.

Prerequisites

  • AWS credentials with permissions to manage CloudFront response headers policies.
  • A CloudFront distribution cache behavior that references the generated policy by name through response_headers_policy_name.

Important Notes

  • configurations.name is the CloudFront response headers policy name.
  • configurations.description maps to the CloudFront policy comment field.
  • security_headers.*.enabled controls whether each managed security header is included.
  • content_security_policy.policy may be a string or an array of strings. Array values are joined with ; .
  • custom_headers[*].value may be a string or an array of strings. Array values are joined with , .
  • remove_headers may be a list of header name strings or objects with header and enabled fields.

Minimal Example

services:
  - name: "AWS CloudFront Response Headers Policy"
    module: "aws-cloudfront-response-headers-policy"
    id: "my-response-headers-policy"
    configurations:
      region: "us-east-1"
      name: "my-custom-security-headers"
      description: "Security headers for my site"

      security_headers:
        strict_transport_security:
          enabled: true
          max_age_sec: 31536000
          include_subdomains: true
          preload: true
          override: true

        content_security_policy:
          enabled: true
          override: false
          policy:
            - "default-src 'self'"
            - "upgrade-insecure-requests"

      custom_headers:
        - header: "Permissions-Policy"
          value: "geolocation=(), microphone=(), camera=()"
          override: false

Full Configuration Schema

All fields are under configurations:.

Field Type Required Default Description
region string Optional us-east-1 AWS region used by the module. CloudFront is global, but the AWS provider still requires a region.
name string Required rabbit-custom-security-headers CloudFront response headers policy name.
description string Optional empty string Comment stored on the CloudFront response headers policy.
remove_headers list(string or object) Optional [] Headers to remove from origin responses. Object form supports header and enabled.
server_timing.enabled boolean Optional false Enables the CloudFront Server-Timing header config.
server_timing.sampling_rate number Optional 0 Sampling rate for Server-Timing headers.
security_headers.strict_transport_security.enabled boolean Optional true Includes the HSTS header config.
security_headers.strict_transport_security.max_age_sec number Optional 31536000 HSTS max-age in seconds.
security_headers.strict_transport_security.include_subdomains boolean Optional true Includes the HSTS includeSubDomains directive.
security_headers.strict_transport_security.preload boolean Optional true Includes the HSTS preload directive.
security_headers.strict_transport_security.override boolean Optional true Overrides an origin-provided HSTS header.
security_headers.content_security_policy.enabled boolean Optional true Includes the Content-Security-Policy header config.
security_headers.content_security_policy.policy string or list(string) Optional default-src 'self'; Content-Security-Policy value. Lists are joined with ; .
security_headers.content_security_policy.override boolean Optional true Overrides an origin-provided Content-Security-Policy header.
security_headers.frame_options.enabled boolean Optional true Includes the X-Frame-Options header config.
security_headers.frame_options.option string Optional SAMEORIGIN X-Frame-Options value.
security_headers.frame_options.override boolean Optional true Overrides an origin-provided X-Frame-Options header.
security_headers.content_type_options.enabled boolean Optional true Includes the X-Content-Type-Options header config.
security_headers.content_type_options.override boolean Optional true Overrides an origin-provided X-Content-Type-Options header.
security_headers.xss_protection.enabled boolean Optional true Includes the X-XSS-Protection header config.
security_headers.xss_protection.mode_block boolean Optional true Enables X-XSS-Protection block mode.
security_headers.xss_protection.report_uri string or null Optional null Optional report URI for X-XSS-Protection.
security_headers.xss_protection.override boolean Optional true Overrides an origin-provided X-XSS-Protection header.
security_headers.referrer_policy.enabled boolean Optional true Includes the Referrer-Policy header config.
security_headers.referrer_policy.policy string Optional strict-origin-when-cross-origin Referrer-Policy value.
security_headers.referrer_policy.override boolean Optional true Overrides an origin-provided Referrer-Policy header.
custom_headers list(object) Optional [] Custom response headers to add.
custom_headers[*].header string Required when custom header is used none Header name.
custom_headers[*].value string or list(string) Required when custom header is used none Header value. Lists are joined with , .
custom_headers[*].override boolean Optional false Overrides an origin-provided header with the same name.

Outputs

  • id - CloudFront response headers policy ID.
  • name - CloudFront response headers policy name.

Clone this wiki locally