Update header policy to allow more

[dylanratcliffe]

No description provided.

[github-actions]

Expected Changes

cloudfront-response-headers-policy › 8ed09a88-177f-4f37-a844-66b7b54a7cda

--- current
+++ planned
@@ -1,22 +1,26 @@
-comment: This inforces some appliction-source security headers
+comment: This controls which headers are cached for baseline applications. This includes headers that are safe to cache and won't change from the backend
 cors_config:
     - access_control_allow_credentials: false
       access_control_allow_headers:
         - items:
-            - X-Example-Header
+            - Accept
+            - Accept-Encoding
+            - Content-Encoding
+            - Content-Length
+            - Content-Type
       access_control_allow_methods:
         - items:
             - GET
       access_control_allow_origins:
         - items:
-            - test.example.comtest
+            - storage.overmind-demo.com
       access_control_expose_headers: []
       access_control_max_age_sec: 0
       origin_override: true
 custom_headers_config: []
 etag: E23ZP02F085DFQ
 id: 8ed09a88-177f-4f37-a844-66b7b54a7cda
-name: security-policy
+name: baseline
 remove_headers_config: []
 security_headers_config: []
 server_timing_headers_config: []

Blast Radius

Items	Edges
342	348

Open in Overmind

Risks

Potential Cache Behavior Changes with CloudFront Distribution [Medium]

The modifications in the AWS CloudFront response headers policy, including an expansion of accepted headers and change of allowed origins, might impact the existing caching behavior configured for CloudFront distributions, particularly E15V1JM5GZXBKB. This distribution currently utilizes a specific set of headers for caching strategies, and altering these headers or allowed origins without a corresponding adjustment in caching rules could lead to cache inefficiencies or unexpected caching behavior, potentially affecting content delivery performance. As the current state of infrastructure indicates a reliance on specific CloudFront distributions for content delivery, any unintended alterations in cache behavior could degrade user experience due to stale content or increased load times.

Cross-Origin Resource Sharing (CORS) Misconfiguration [Medium]

Updating the access_control_allow_origins to a broader or different domain as specified in the changes could inadvertently expose resources via CORS to origins that were not intended, considering the current setting restricts it to test.example.comtest. This is relevant because CORS policies dictate which external domains can request your resources, and hence, configuring them to be too permissive could expose sensitive information or services to untrusted origins. Reflecting on the current infrastructure, specifically the CloudFront distribution and the ECS tasks that might be serving content or APIs, this exposure holds a tangible risk.

Increased Backend Load Due to Expansion of Allowed Headers [Medium]

By expanding the set of access_control_allow_headers, the backend ECS tasks, like the facial recognition and visit counter services, may experience an unexpected increase in load. This might occur due to an uptick in requests that were previously blocked by CloudFront's stricter CORS policy but are now allowed. Given the finite resources allocated to these tasks, a significant increase in incoming requests could lead to performance degradation or even service downtime, especially if the auto-scaling mechanisms are not adequately configured to handle such spikes in demand.