LOW

Ensure CloudFront distributions forward only required headers to origin

Forwarding unnecessary headers to origin reduces cache efficiency and may expose sensitive information unnecessarily.

Security Impact

Forwarding all headers reduces cache hit ratio and may leak sensitive client information to origin.

How to Remediate

Configure cache behaviors to forward only headers required by the origin. Use allowlists instead of forwarding all headers.

Affected Resources

AWS::CloudFront::Distribution

Compliance Frameworks

Best PracticesPrivacy

How TigerGate Helps

TigerGate continuously monitors your AWS environment to detect and alert on this misconfiguration. Here's what our platform does for this specific check:

  • Continuous Scanning

    Automatically scans all Amazon CloudFront resources across your AWS accounts every hour

  • Instant Alerts

    Get notified via Slack, email, or webhooks when this misconfiguration is detected

  • One-Click Remediation

    Fix this issue directly from the TigerGate dashboard with our guided remediation

  • Compliance Evidence

    Automatically collect audit evidence for Best Practices, Privacy compliance

  • Drift Detection

    Get alerted if this configuration drifts back to an insecure state after remediation

Check Details

Check ID
aws-cloudfront-16
Service
Amazon CloudFront
Category
Performance
Severity
LOW

Automate This Check

TigerGate automatically scans your AWS environment for this and 575+ other security checks.

Start Free Trial

Related Amazon CloudFront Checks

View all checks
aws-cloudfront-1high

Ensure CloudFront distributions use secure SSL/TLS protocols

aws-cloudfront-2high

Ensure CloudFront distributions enforce HTTPS-only viewer connections

aws-cloudfront-3high

Ensure CloudFront distributions use origin access identity (OAI) for S3 origins

aws-cloudfront-4medium

Ensure CloudFront distributions have access logging enabled

aws-cloudfront-5high

Ensure CloudFront distributions have WAF integrated