AWS AmazonCloudFront documentation change
Summary
Updated signed cookie documentation to include optional CloudFront-Hash-Algorithm parameter (SHA1/SHA256), added examples, and clarified requirements for hash algorithm specification.
Security assessment
The change documents the ability to specify hash algorithms (SHA1 or SHA256) for signed cookies, which is a security feature enhancement. No evidence of addressing a specific security vulnerability.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md index e389d7771..e9c3acb40 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md +++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md @@ -15 +15 @@ To set a signed cookie by using a canned policy, complete the following steps. T - 2. Program your application to send three `Set-Cookie` headers to approved viewers. You need three `Set-Cookie` headers because each `Set-Cookie` header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs. The name-value pairs are: `CloudFront-Expires`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. The values must be present on the viewer before a user makes the first request for a file that you want to control access to. + 2. Program your application to send three `Set-Cookie` headers to approved viewers (or four, if you want to specify a hash algorithm). You need three `Set-Cookie` headers because each `Set-Cookie` header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs. The name-value pairs are: `CloudFront-Expires`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. You can optionally include a fourth name-value pair, `CloudFront-Hash-Algorithm`, to specify the hash algorithm used for the signature. The values must be present on the viewer before a user makes the first request for a file that you want to control access to. @@ -45,0 +46,7 @@ Line breaks are included only to make the attributes more readable. + Set-Cookie: + CloudFront-Hash-Algorithm=SHA1 or SHA256; + Domain=optional domain name; + Path=/optional directory path; + Secure; + HttpOnly + @@ -90,0 +98,5 @@ This public key must belong to a key group that is a trusted signer in the distr +**`CloudFront-Hash-Algorithm`** + + +(Optional) The hash algorithm used to create the signature. Supported values are `SHA1` and `SHA256`. If you don't include this cookie, CloudFront defaults to `SHA1`. + @@ -99,0 +112 @@ The following example shows `Set-Cookie` headers for one signed cookie when you' + Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly @@ -106,0 +120 @@ The following example shows `Set-Cookie` headers for one signed cookie when you' + Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=example.org; Path=/images/*; Secure; HttpOnly @@ -214,0 +229,4 @@ For additional information and examples of how to hash, sign, and encode the pol +###### Note + +The linked examples use SHA-1 by default. To use SHA-256 instead, replace `sha1` with `sha256` in the OpenSSL commands and include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`. + @@ -217 +235,3 @@ For additional information and examples of how to hash, sign, and encode the pol - 1. Use the SHA-1 hash function and RSA to hash and sign the policy statement that you created in the procedure To create a policy statement for a signed cookie that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces. + 1. Use the SHA-1 or SHA-256 hash function and RSA to hash and sign the policy statement that you created in the procedure To create a policy statement for a signed cookie that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces. + +If you use SHA-256, you must include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`.