AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-04-01 · Documentation medium

File: AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.md

Summary

Added documentation for optional CloudFront-Hash-Algorithm cookie to specify SHA1 or SHA256 hash algorithm for signed cookies, including examples and usage notes.

Security assessment

The change adds documentation for a new optional security feature (CloudFront-Hash-Algorithm cookie) that allows specifying stronger hash algorithms (SHA256) for signed cookies. This enhances security by enabling migration from SHA1 to SHA256, but there's no evidence in the diff that this addresses a specific security vulnerability or incident.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.md
index 0f01ea4f1..6bcae9bc3 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.md
@@ -15 +15 @@ To set a signed cookie that uses a custom policy, complete the following steps.
-  2. Program your application to send three `Set-Cookie` headers to approved viewers. You need three `Set-Cookie` headers because each `Set-Cookie` header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs. The name-value pairs are: `CloudFront-Policy`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. The values must be present on the viewer before a user makes the first request for a file that you want to control access to. 
+  2. Program your application to send three `Set-Cookie` headers to approved viewers (or four, if you want to specify a hash algorithm). You need three `Set-Cookie` headers because each `Set-Cookie` header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs. The name-value pairs are: `CloudFront-Policy`, `CloudFront-Signature`, and `CloudFront-Key-Pair-Id`. You can optionally include a fourth name-value pair, `CloudFront-Hash-Algorithm`, to specify the hash algorithm used for the signature. The values must be present on the viewer before a user makes the first request for a file that you want to control access to. 
@@ -46,0 +47,7 @@ Line breaks are included only to make the attributes more readable.
+    Set-Cookie: 
+    CloudFront-Hash-Algorithm=SHA1 or SHA256; 
+    Domain=optional domain name; 
+    Path=/optional directory path; 
+    Secure; 
+    HttpOnly
+
@@ -89,0 +97,5 @@ This public key must belong to a key group that is a trusted signer in the distr
+**`CloudFront-Hash-Algorithm`**
+    
+
+(Optional) The hash algorithm used to create the signature. Supported values are `SHA1` and `SHA256`. If you don't include this cookie, CloudFront defaults to `SHA1`.
+
@@ -106,0 +119 @@ You can use the `Set-Cookie` headers for one signed cookie when you're using the
+    Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=d111111abcdef8.cloudfront.net; Path=/; Secure; HttpOnly
@@ -115,0 +129 @@ You can use the `Set-Cookie` headers for one signed cookie when you're using an
+    Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=example.org; Path=/; Secure; HttpOnly
@@ -124,0 +139 @@ You can use the `Set-Cookie` header pairs for a signed request when you're using
+    Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=d111111abcdef8.cloudfront.net; Path=/; Secure; HttpOnly
@@ -133,0 +149 @@ You can use the `Set-Cookie` header pairs for one signed request when you're usi
+    Set-Cookie: CloudFront-Hash-Algorithm=SHA256; Domain=example.org; Path=/; Secure; HttpOnly
@@ -378,0 +395,4 @@ For additional information and examples of how to hash, sign, and encode the pol
+###### Note
+
+The linked examples use SHA-1 by default. To use SHA-256 instead, replace `sha1` with `sha256` in the OpenSSL commands and include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`.
+
@@ -381 +401,3 @@ For additional information and examples of how to hash, sign, and encode the pol
-  1. Use the SHA-1 hash function and RSA to hash and sign the JSON policy statement that you created in the procedure [To create the policy statement for a signed URL that uses a custom policy](./private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-creating-policy-procedure). Use the version of the policy statement that no longer includes empty spaces but that has not yet been base64-encoded.
+  1. Use the SHA-1 or SHA-256 hash function and RSA to hash and sign the JSON policy statement that you created in the procedure [To create the policy statement for a signed URL that uses a custom policy](./private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-creating-policy-procedure). Use the version of the policy statement that no longer includes empty spaces but that has not yet been base64-encoded.
+
+If you use SHA-256, you must include the `CloudFront-Hash-Algorithm` cookie with a value of `SHA256`.