Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cache all headers #196

Closed
wants to merge 1 commit into from
Closed

Cache all headers #196

wants to merge 1 commit into from

Conversation

dylanratcliffe
Copy link
Member

No description provided.

@github-actions GitHub Actions
Copy link

mapped Expected Changes

updated cloudfront-response-headers-policy › 132e10ff-93d1-4e1a-9909-6cb69b8b743a 
--- current
+++ planned
@@ -3,11 +3,7 @@
     - access_control_allow_credentials: false
       access_control_allow_headers:
         - items:
-            - Accept
-            - Accept-Encoding
-            - Content-Encoding
-            - Content-Length
-            - Content-Type
+            - '*'
       access_control_allow_methods:
         - items:
             - GET

Blast Radius

items Items edges Edges
126 150

Open in Overmind

warning Risks

high Potential Security Risks from Relaxed Access Control Headers in CloudFront [High]

The proposed change to the CloudFront response headers policy alters the access_control_allow_headers from a specific list (Accept, Accept-Encoding, Content-Encoding, Content-Length, Content-Type) to a wildcard ('*').

Risks:

  • Security Risk: Relaxing the access control allow headers to a wildcard might unintentionally expose sensitive data or allow injection of unauthorized headers that didn't require explicit allowance before.
  • Compliance Impact: If your organization is subject to specific compliance requirements, this change could lead to violations, as explicit header restrictions may be a requirement.

Contextual Information:

  • The current configuration lists safe headers for caching and access, which was more restrictive and controlled.

Validation Questions:

  1. Review Compliance Policies: Before making this change, verify that a wildcard header allowance ('*') doesn't breach any organizational or regulatory compliance requirements.
  2. Restrict to Required Headers: Assess whether allowing headers globally ('*') is necessary. Where possible, restrict to only headers explicitly required for operations.
  3. Security Testing: Conduct thorough testing for any cross-origin requests that might now pass through due to this header change.

Affected Applications:

  • Any application utilizing this CloudFront distribution for headers will be affected. There might be underlying APIs or web services that require specific headers to be kept secure.

@dylanratcliffe dylanratcliffe deleted the dylanratcliffe-patch-2 branch December 18, 2024 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dylanratcliffe