Cache all headers

[dylanratcliffe]

No description provided.

[github-actions]

Expected Changes

cloudfront-response-headers-policy › 132e10ff-93d1-4e1a-9909-6cb69b8b743a

--- current
+++ planned
@@ -3,11 +3,7 @@
     - access_control_allow_credentials: false
       access_control_allow_headers:
         - items:
-            - Accept
-            - Accept-Encoding
-            - Content-Encoding
-            - Content-Length
-            - Content-Type
+            - '*'
       access_control_allow_methods:
         - items:
             - GET

Blast Radius

Items	Edges
103	123

Open in Overmind

Risks

Potential Impact on CORS Configuration Due to Header Policy Change [Medium]

The update in the CloudFront Response Headers Policy, specifically changing the access_control_allow_headers to accept all headers ('*') instead of specific ones (Accept, Accept-Encoding, Content-Encoding, Content-Length, Content-Type), could potentially affect how APIs or web applications handle Cross-Origin Resource Sharing (CORS). Allowing all headers might introduce security vulnerabilities, particularly if any requests come from untrusted sources that exploit CORS misconfigurations to access sensitive information.

Validation Steps:

• Verify if the APIs or Frontend applications served through this CloudFront distribution have necessary checks for CORS usage.
• Confirm with application developers on any specific headers previously used for application logic to ensure that allowing all headers does not inadvertently expose or change the logic.
• Test the application in a staging environment with the new header configuration to observe if the changes impact the current application behavior.

Affected Applications: Given the infrastructure, if any applications under CloudFront distributions that use this response headers policy interact with user data or third-party services, these changes may require thorough testing to avoid unintended data exposure.