AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-03-25 · Documentation medium

File: AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md

Summary

Clarified that CloudFront-Viewer-Cert-Pem header is not exposed to edge functions (Lambda@Edge or CloudFront Functions) due to potential header size and is only forwarded to the origin.

Security assessment

This change documents a limitation in mTLS header exposure to edge functions, which is relevant for security implementations using client certificates. However, there's no evidence this addresses a specific security vulnerability.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md b/AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md
index de7168ac5..36b35fb80 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md
@@ -21 +21 @@ CloudFront-Viewer-Cert-Sha256 | The SHA256 hash of the client certificate | 01fb
-For origin requests, two additional headers are supplied, in addition the headers above made available for cache behaviors:
+For origin requests, two additional headers are supplied, in addition to the headers above made available for cache behaviors. Due to potential header size, CloudFront-Viewer-Cert-Pem header is not exposed to edge functions (Lambda@Edge or CloudFront Functions) and is only forwarded to the origin.