Skip to content

Resource: awsCloudfrontResponseHeadersPolicy

Provides a CloudFront response headers policy resource. A response headers policy contains information about a set of HTTP response headers and their values. After you create a response headers policy, you can use its ID to attach it to one or more cache behaviors in a CloudFront distribution. When it’s attached to a cache behavior, CloudFront adds the headers in the policy to every response that it sends for requests that match the cache behavior.

Example Usage

The example below creates a CloudFront response headers policy.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.cloudfrontResponseHeadersPolicy.CloudfrontResponseHeadersPolicy(
  this,
  "example",
  {
    comment: "test comment",
    corsConfig: {
      accessControlAllowCredentials: true,
      accessControlAllowHeaders: {
        items: ["test"],
      },
      accessControlAllowMethods: {
        items: ["GET"],
      },
      accessControlAllowOrigins: {
        items: ["test.example.comtest"],
      },
      originOverride: true,
    },
    name: "example-policy",
  }
);

The example below creates a CloudFront response headers policy with a custom headers config.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.cloudfrontResponseHeadersPolicy.CloudfrontResponseHeadersPolicy(
  this,
  "example",
  {
    customHeadersConfig: {
      items: [
        {
          header: "X-Permitted-Cross-Domain-Policies",
          override: true,
          value: "none",
        },
        {
          header: "X-Test",
          override: true,
          value: "none",
        },
      ],
    },
    name: "example-headers-policy",
  }
);

The example below creates a CloudFront response headers policy with a custom headers config and server timing headers config.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.cloudfrontResponseHeadersPolicy.CloudfrontResponseHeadersPolicy(
  this,
  "example",
  {
    customHeadersConfig: {
      items: [
        {
          header: "X-Permitted-Cross-Domain-Policies",
          override: true,
          value: "none",
        },
      ],
    },
    name: "example-headers-policy",
    serverTimingHeadersConfig: {
      enabled: true,
      samplingRate: 50,
    },
  }
);

Argument Reference

The following arguments are supported:

  • name - (Required) A unique name to identify the response headers policy.
  • comment - (Optional) A comment to describe the response headers policy. The comment cannot be longer than 128 characters.
  • corsConfig - (Optional) A configuration for a set of HTTP response headers that are used for Cross-Origin Resource Sharing (CORS). See Cors Config for more information.
  • customHeadersConfig - (Optional) Object that contains an attribute items that contains a list of custom headers. See Custom Header for more information.
  • securityHeadersConfig - (Optional) A configuration for a set of security-related HTTP response headers. See Security Headers Config for more information.
  • serverTimingHeadersConfig - (Optional) A configuration for enabling the Server-Timing header in HTTP responses sent from CloudFront. See Server Timing Headers Config for more information.

Cors Config

  • accessControlAllowCredentials - (Required) A Boolean value that CloudFront uses as the value for the accessControlAllowCredentials HTTP response header.
  • accessControlAllowHeaders - (Required) Object that contains an attribute items that contains a list of HTTP header names that CloudFront includes as values for the accessControlAllowHeaders HTTP response header.
  • accessControlAllowMethods - (Required) Object that contains an attribute items that contains a list of HTTP methods that CloudFront includes as values for the accessControlAllowMethods HTTP response header. Valid values: get | post | options | put | delete | head | all
  • accessControlAllowOrigins - (Required) Object that contains an attribute items that contains a list of origins that CloudFront can use as the value for the accessControlAllowOrigin HTTP response header.
  • accessControlExposeHeaders - (Optional) Object that contains an attribute items that contains a list of HTTP headers that CloudFront includes as values for the accessControlExposeHeaders HTTP response header.
  • accessControlMaxAgeSec - (Optional) A number that CloudFront uses as the value for the accessControlMaxAge HTTP response header.
  • originOverride - (Required) A Boolean value that determines how CloudFront behaves for the HTTP response header.

Custom Header

  • header - (Required) The HTTP response header name.
  • override - (Required) Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
  • value - (Required) The value for the HTTP response header.

Security Headers Config

  • contentSecurityPolicy - (Optional) The policy directives and their values that CloudFront includes as values for the contentSecurityPolicy HTTP response header. See Content Security Policy for more information.
  • contentTypeOptions - (Optional) Determines whether CloudFront includes the xContentTypeOptions HTTP response header with its value set to nosniff. See Content Type Options for more information.
  • frameOptions - (Optional) Determines whether CloudFront includes the xFrameOptions HTTP response header and the header’s value. See Frame Options for more information.
  • referrerPolicy - (Optional) Determines whether CloudFront includes the referrerPolicy HTTP response header and the header’s value. See Referrer Policy for more information.
  • strictTransportSecurity - (Optional) Determines whether CloudFront includes the strictTransportSecurity HTTP response header and the header’s value. See Strict Transport Security for more information.
  • xssProtection - (Optional) Determine whether CloudFront includes the xXssProtection HTTP response header and the header’s value. See XSS Protection for more information.

Content Security Policy

  • contentSecurityPolicy - (Required) The policy directives and their values that CloudFront includes as values for the contentSecurityPolicy HTTP response header.
  • override - (Required) Whether CloudFront overrides the contentSecurityPolicy HTTP response header received from the origin with the one specified in this response headers policy.

Content Type Options

  • override - (Required) Whether CloudFront overrides the xContentTypeOptions HTTP response header received from the origin with the one specified in this response headers policy.

Frame Options

  • frameOption - (Required) The value of the xFrameOptions HTTP response header. Valid values: deny | sameorigin
  • override - (Required) Whether CloudFront overrides the xFrameOptions HTTP response header received from the origin with the one specified in this response headers policy.

Referrer Policy

  • referrerPolicy - (Required) The value of the referrerPolicy HTTP response header. Valid Values: noReferrer | noReferrerWhenDowngrade | origin | originWhenCrossOrigin | sameOrigin | strictOrigin | strictOriginWhenCrossOrigin | unsafeUrl
  • override - (Required) Whether CloudFront overrides the referrerPolicy HTTP response header received from the origin with the one specified in this response headers policy.

Strict Transport Security

  • accessControlMaxAgeSec - (Required) A number that CloudFront uses as the value for the maxAge directive in the strictTransportSecurity HTTP response header.
  • includeSubdomains - (Optional) Whether CloudFront includes the includeSubDomains directive in the strictTransportSecurity HTTP response header.
  • override - (Required) Whether CloudFront overrides the strictTransportSecurity HTTP response header received from the origin with the one specified in this response headers policy.
  • preload - (Optional) Whether CloudFront includes the preload directive in the strictTransportSecurity HTTP response header.

XSS Protection

  • modeBlock - (Required) Whether CloudFront includes the mode=block directive in the xXssProtection header.
  • override - (Required) Whether CloudFront overrides the xXssProtection HTTP response header received from the origin with the one specified in this response headers policy.
  • protection - (Required) A Boolean value that determines the value of the xXssProtection HTTP response header. When this setting is true, the value of the xXssProtection header is 1. When this setting is false, the value of the xXssProtection header is 0.
  • reportUri - (Optional) A reporting URI, which CloudFront uses as the value of the report directive in the xXssProtection header. You cannot specify a reportUri when modeBlock is true.

Server Timing Headers Config

  • enabled - (Required) A Whether CloudFront adds the serverTiming header to HTTP responses that it sends in response to requests that match a cache behavior that's associated with this response headers policy.
  • samplingRate - (Required) A number 0–100 (inclusive) that specifies the percentage of responses that you want CloudFront to add the Server-Timing header to. Valid range: Minimum value of 0.0. Maximum value of 100.0.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • etag - The current version of the response headers policy.
  • id - The identifier for the response headers policy.

Import

Cloudfront Response Headers Policies can be imported using the id, e.g.

$ terraform import aws_cloudfront_response_headers_policy.policy 658327ea-f89d-4fab-a63d-7e88639e58f9