Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cache all headers #100

Closed
wants to merge 1 commit into from
Closed

Cache all headers #100

wants to merge 1 commit into from

Conversation

dylanratcliffe
Copy link
Member

No description provided.

@github-actions GitHub Actions
Copy link

mapped Expected Changes

updated cloudfront-response-headers-policy › 8ed09a88-177f-4f37-a844-66b7b54a7cda 
--- current
+++ planned
@@ -3,11 +3,7 @@
     - access_control_allow_credentials: false
       access_control_allow_headers:
         - items:
-            - Accept
-            - Accept-Encoding
-            - Content-Encoding
-            - Content-Length
-            - Content-Type
+            - '*'
       access_control_allow_methods:
         - items:
             - GET

Blast Radius

items Items edges Edges
78 88

Open in Overmind

warning Risks

medium Broad Header Allowance and Potential Information Exposure [Medium]

By allowing all headers (*) through the aws_cloudfront_response_headers_policy named headers-policy, there's an increased risk of unintentionally exposing sensitive headers that could contain security or operational details not intended for public consumption. Given the current state shows a controlled list of headers (e.g., Accept, Content-Type), switching to a wildcard approach significantly alters the exposure surface. This could inadvertently leak information cached at the edge, leading to potential misuse.

medium Unintended Behavior due to Overly Permissive Header Caching [Medium]

Caching all headers could lead to unexpected behavior where certain headers not considered during the design phase impact the application's functionality. For instance, headers controlling content behaviors or security policies might be unintentionally honored or cached, leading to inconsistencies in content delivery or unintended security implications. The specific setup of cloudfront-distribution resources, targeting optimized delivery, may be affected by unintended side effects of caching dynamic content not meant to be cached.

low Increased Cache Size and Reduced Performance [Low]

Allowing all headers to be cached may result in an increased cache footprint on CloudFront, potentially leading to reduced cache efficiency and increased latency. Current cache behavior specified under cloudfront-distribution resources focuses on specific patterns and optimized TTL settings. The introduction of caching all headers (*) might deviate from these optimized settings, affecting user experience by slowing down content delivery due to increased cache misses and higher origin fetch rates.

@dylanratcliffe dylanratcliffe deleted the dylanratcliffe-patch-2 branch May 1, 2024 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dylanratcliffe