I am trying to remove some headers from a Cloudfront response using Lambda@Edge on the ViewerResponse event. The origin is an S3 bucket.
I have been successful to change the header like this:
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response;
response.headers.server = [{'key': 'server', 'value': 'bunny'}];
callback(null, response);
};
However it does not seem to work to remove headers all together, e.g. like this.
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response;
delete response.headers.server;
// or response.header.server = null;
// or response.headers.server = [{'key': 'server', 'value': null}];
callback(null, response);
};
This snippet does not remove but changes the server header from server: AmazonS3
to server: CloudFront
. So I assumed that maybe the server header is mandatory and gets populated automatically. But I also not have been able to remove other headers that are generated by CloudFront. In the lambda test pane, the function works as expected. So something is happening after the Lambda function finishes.
As a background, I would like to change the headers because the site gets blocked in an important client's network with the message that it was an online storage-or-backup location.
What am I missing?
Choose the Behaviors tab. Choose the check box next to the cache behavior that has the Lambda@Edge function association that you want to delete, and then choose Edit. Scroll down to Lambda Function Associations, and then choose the X icon next to each Lambda@Edge function association that you want to delete.
With Lambda@Edge, you can customize the content delivered through the Amazon CloudFront CDN, and you can customize your compute resources and execution time, based on your application performance needs.
Unfortunately, CloudFront does not currently support this as per AWS support:
It is not possible to completely remove the Server Header, we can either set it to None or even if we try to delete the server header field altogether, CloudFront will add a 'Server:CloudFront' to the viewer response.
Since you mentioned a government agency, you might want to ask what policy they're following. Most of these are probably based on the CIS benchmarks for things like Apache, which generally have an “information leakage” goal such as this:
Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much "noise" being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful compromise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released.
The recommended advice I've seen has generally been something which allows a generic Server
header in addition to removing it. For example, the Apache guide allows Server: Apache
:
Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be Apache rather than details on modules and versions installed.
If you remove the Server
header in your code, CloudFront adding its own header does not leak information about the backend server and does not give an attacker new information because they already know that they are connecting to a CloudFront IP address.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With