AWS AmazonCloudFront documentation change
Summary
Clarified that CloudFront-Viewer-Cert-Pem header is not exposed to edge functions (Lambda@Edge or CloudFront Functions) due to potential header size and is only forwarded to the origin.
Security assessment
This change documents a limitation in mTLS header exposure to edge functions, which is relevant for security implementations using client certificates. However, there's no evidence this addresses a specific security vulnerability.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md b/AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md index de7168ac5..36b35fb80 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md +++ b//AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-headers.md @@ -21 +21 @@ CloudFront-Viewer-Cert-Sha256 | The SHA256 hash of the client certificate | 01fb -For origin requests, two additional headers are supplied, in addition the headers above made available for cache behaviors: +For origin requests, two additional headers are supplied, in addition to the headers above made available for cache behaviors. Due to potential header size, CloudFront-Viewer-Cert-Pem header is not exposed to edge functions (Lambda@Edge or CloudFront Functions) and is only forwarded to the origin.