I am trying to remove some headers from a Cloudfront response using Lambda@Edge on the ViewerResponse event. The origin is an S3 bucket.

I have been successful to change the header like this:

exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;
    response.headers.server = [{'key': 'server', 'value': 'bunny'}];
    callback(null, response);
};

However it does not seem to work to remove headers all together, e.g. like this.

exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;
    delete response.headers.server;
    // or response.header.server = null;
    // or response.headers.server = [{'key': 'server', 'value': null}];
    callback(null, response);
};

This snippet does not remove but changes the server header from server: AmazonS3 to server: CloudFront. So I assumed that maybe the server header is mandatory and gets populated automatically. But I also not have been able to remove other headers that are generated by CloudFront. In the lambda test pane, the function works as expected. So something is happening after the Lambda function finishes.

As a background, I would like to change the headers because the site gets blocked in an important client's network with the message that it was an online storage-or-backup location.

What am I missing?

I am trying to remove some headers from a Cloudfront response using Lambda@Edge on the ViewerResponse event. The origin is an S3 bucket.

I have been successful to change the header like this:

exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;
    response.headers.server = [{'key': 'server', 'value': 'bunny'}];
    callback(null, response);
};

However it does not seem to work to remove headers all together, e.g. like this.

exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;
    delete response.headers.server;
    // or response.header.server = null;
    // or response.headers.server = [{'key': 'server', 'value': null}];
    callback(null, response);
};

This snippet does not remove but changes the server header from server: AmazonS3 to server: CloudFront. So I assumed that maybe the server header is mandatory and gets populated automatically. But I also not have been able to remove other headers that are generated by CloudFront. In the lambda test pane, the function works as expected. So something is happening after the Lambda function finishes.

As a background, I would like to change the headers because the site gets blocked in an important client's network with the message that it was an online storage-or-backup location.

What am I missing?

• javascript
• amazon-s3
• aws-lambda
• amazon-cloudfront

• 1 Some headers are Blacklisted and Read only, you can find the list here: docs.aws.amazon./AmazonCloudFront/latest/DeveloperGuide/…, you can try changing server header to some other value. – James Dean Commented Jun 22, 2019 at 5:20
• It seems very unlikely that the traffic is being blocked because of the X-Amz-Cf-* headers, which should be the only relevant headers that you can't remove or modify from a viewer response trigger -- and it would be inappropriate to classify a site as "storage or backup" based on these things since CloudFront is neither, and is widely used by many sites as a CDN. Are you using a custom domain on your CloudFront distribution, or are you using the system-assigned *.cloudfront domain name? If you're not using a custom domain, that's much more likely to be the problem. Please confirm. – Michael - sqlbot Commented Jun 23, 2019 at 15:23
• 1 I am using a custom domain which works perfectly in most cases. I agree that they shouldn't be classified as storage or backup but that is out of my control since the customer is an government agency with some stone age understanding of IT security. I guess we have to move to a stone age Linux server to make that work. – Falk Schuetzenmeister Commented Jun 24, 2019 at 16:05

1 Answer 1

Unfortunately, CloudFront does not currently support this as per AWS support:

It is not possible to pletely remove the Server Header, we can either set it to None or even if we try to delete the server header field altogether, CloudFront will add a 'Server:CloudFront' to the viewer response.

Since you mentioned a government agency, you might want to ask what policy they're following. Most of these are probably based on the CIS benchmarks for things like Apache, which generally have an “information leakage” goal such as this:

Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much "noise" being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful promise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released.

The remended advice I've seen has generally been something which allows a generic Server header in addition to removing it. For example, the Apache guide allows Server: Apache:

Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be Apache rather than details on modules and versions installed.

If you remove the Server header in your code, CloudFront adding its own header does not leak information about the backend server and does not give an attacker new information because they already know that they are connecting to a CloudFront IP address.