AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-04-01 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md

Summary

Updated signed cookie documentation to include optional CloudFront-Hash-Algorithm parameter (SHA1/SHA256), added examples, and clarified requirements for hash algorithm specification.

Security assessment

The change documents the ability to specify hash algorithms (SHA1 or SHA256) for signed cookies, which is a security feature enhancement. No evidence of addressing a specific security vulnerability.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md
index e389d7771..e9c3acb40 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.md
@@ -15 +15 @@ To set a signed cookie by using a canned policy, complete the following steps. T
-  2. Program your application to send three `Set-Cookie` headers to approved viewers. You need three `Set-Cookie` headers because each `Set-Cookie` header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs. The name-value pairs are: `CloudFront-Expires`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. The values must be present on the viewer before a user makes the first request for a file that you want to control access to. 
+  2. Program your application to send three `Set-Cookie` headers to approved viewers (or four, if you want to specify a hash algorithm). You need three `Set-Cookie` headers because each `Set-Cookie` header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs. The name-value pairs are: `CloudFront-Expires`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. You can optionally include a fourth name-value pair, `CloudFront-Hash-Algorithm`, to specify the hash algorithm used for the signature. The values must be present on the viewer before a user makes the first request for a file that you want to control access to. 
@@ -45,0 +46,7 @@ Line breaks are included only to make the attributes more readable.
+    Set-Cookie: 
+    CloudFront-Hash-Algorithm=SHA1 or SHA256; 
+    Domain=optional domain name; 
+    Path=/optional directory path; 
+    Secure; 
+    HttpOnly
+
@@ -90,0 +98,5 @@ This public key must belong to a key group that is a trusted signer in the distr
+**`CloudFront-Hash-Algorithm`**
+    
+
+(Optional) The hash algorithm used to create the signature. Supported values are `SHA1` and `SHA256`. If you don't include this cookie, CloudFront defaults to `SHA1`.
+
@@ -99,0 +112 @@ The following example shows `Set-Cookie` headers for one signed cookie when you'
+    Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly
@@ -106,0 +120 @@ The following example shows `Set-Cookie` headers for one signed cookie when you'
+    Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=example.org; Path=/images/*; Secure; HttpOnly
@@ -214,0 +229,4 @@ For additional information and examples of how to hash, sign, and encode the pol
+###### Note
+
+The linked examples use SHA-1 by default. To use SHA-256 instead, replace `sha1` with `sha256` in the OpenSSL commands and include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`.
+
@@ -217 +235,3 @@ For additional information and examples of how to hash, sign, and encode the pol
-  1. Use the SHA-1 hash function and RSA to hash and sign the policy statement that you created in the procedure To create a policy statement for a signed cookie that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces.
+  1. Use the SHA-1 or SHA-256 hash function and RSA to hash and sign the policy statement that you created in the procedure To create a policy statement for a signed cookie that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces.
+
+If you use SHA-256, you must include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`.