1

If this is the wrong StackExchange sub-exchange, please redirect me, I'm happy to move this question.

I was just moved onto a project managing a CloudFront instance. I've never used any Amazon cloud services before (except for S3, and only a little of that). The project has to pass Veracode static/dynamic scans with scores of 100, and Veracode is complaining that our response headers contain too much information about our servers (e.g. S3/CloudFront version information). I found an article describing rules for which request headers CloudFront forwards to origin, and some other rules regarding response headers, but haven't found documentation on how to stop CloudFront specifically from pushing through headers that reveal version information.

Is there a way to target these headers in CloudFront (or S3) to disable them and make Veracode happy?

Edit: additional details from Veracode report:

The recommendation from Veracode is:

Configure your web server to avoid having it announce its own details. For example in Apache, these two configuration directives should be added to the configuration file: "ServerSignature Off" and "ServerTokens Prod". Utilize URLScan and IISLockdown for Microsoft's IIS web server.

Not sure how to accomplish this in S3/CloudFront.

Steverino
  • 133
  • 1
  • 7
  • Are you referring to the stuff like `X-Cache: Redirect from cloudfront`, `Via: 1.1 f7ed5c17d39c1d6b03157949cd814fd4.cloudfront.net (CloudFront)`, `X-Amz-Cf-Id: C-47QqO1qbLZcrPx_fK7ZuCV31WqmDNL2iNdMzuOkOJzNoa4zXkmwA==` etc.? – ceejayoz May 25 '17 at 21:00
  • 1
    Veracode has a problem if these are really the headers they're complaining about. These values are opaque troubleshooting codes. There is no version information here. It *might* be possible to remove them once Lambda@Edge is released to general availability... but these are non-issues. – Michael - sqlbot May 25 '17 at 23:36
  • Updated question with additional details from Veracode report. – Steverino May 26 '17 at 23:08

0 Answers0