AWS Security ChangesHomeSearch

AWS AmazonCloudFront high security documentation change

Service: AmazonCloudFront · 2026-04-28 · Security-related high

File: AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.md

Summary

Updated guidance for forwarding Authorization header and added security warning about cache key configuration

Security assessment

Added explicit warning that forwarding Authorization header without including it in cache key could allow unauthorized access to cached content. This addresses a security vulnerability where misconfiguration could lead to privilege escalation by serving protected content to unauthorized users.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.md b/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.md
index ae3ebd529..641530542 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.md
@@ -132 +132 @@ When CloudFront forwards a viewer request to your origin, CloudFront removes som
-  * Use an origin request policy that forwards all viewer headers to the origin. You cannot forward the `Authorization` header individually in an origin request policy, but when you forward all viewer headers CloudFront includes the `Authorization` header in viewer requests. CloudFront provides a managed origin request policy for this use case, called **Managed-AllViewer**. For more information, see [Use managed origin request policies](./using-managed-origin-request-policies.html).
+  * Add the `Authorization` header individually in an origin request policy. For more information, see [Control origin requests with a policy](./controlling-origin-requests.html).
@@ -133,0 +134 @@ When CloudFront forwards a viewer request to your origin, CloudFront removes som
+  * Use an origin request policy that forwards all viewer headers to the origin. CloudFront provides a managed origin request policy for this use case, called **Managed-AllViewer**. For more information, see [Use managed origin request policies](./using-managed-origin-request-policies.html).
@@ -136,0 +138,5 @@ When CloudFront forwards a viewer request to your origin, CloudFront removes som
+
+###### Important
+
+If you forward the `Authorization` header to your origin without including it in the cache key, ensure that your origin does not rely on the `Authorization` header for access control of cached content. When the `Authorization` header is not part of the cache key, CloudFront can serve the same cached response to both authorized and unauthorized viewers. Either include the `Authorization` header in the cache key using a cache policy, or disable caching entirely for origins that require origin-side authorization processing.
+