# Control origin requests with a policy
<a name="controlling-origin-requests"></a>

When a viewer request to CloudFront results in a *cache miss* (the requested object is not cached at the edge location), CloudFront sends a request to the origin to retrieve the object. This is called an *origin request*. The origin request always includes the following information from the viewer request:
+ The URL path (the path only, without URL query strings or the domain name)
+ The request body (if there is one)
+ The HTTP headers that CloudFront automatically includes in every origin request, including `Host`, `User-Agent`, and `X-Amz-Cf-Id`

Other information from the viewer request, such as URL query strings, HTTP headers, and cookies, is not included in the origin request by default. (Exception: With legacy cache settings, CloudFront forwards the headers to your origin by default.) However, you might want to receive some of this other information at the origin, for example to collect data for analytics or telemetry. You can use an *origin request policy* to control the information that's included in an origin request. 

Origin request policies are separate from [cache policies](controlling-the-cache-key.md), which control the cache key. This way, you can receive additional information at the origin and also maintain a good *cache hit ratio* (the proportion of viewer requests that result in a cache hit). You do this by separately controlling which information is included in origin requests (using the origin request policy) and which is included in the cache key (using the cache policy).

Although the two kinds of policies are separate, they are related. All URL query strings, HTTP headers, and cookies that you include in the cache key (using a cache policy) are automatically included in origin requests. Use the origin request policy to specify the information that you want to include in origin requests, but *not* include in the cache key. Just like a cache policy, you attach an origin request policy to one or more cache behaviors in a CloudFront distribution.

You can also use an origin request policy to add additional HTTP headers to an origin request that were not included in the viewer request. These additional headers are added by CloudFront before sending the origin request, with header values that are determined automatically based on the viewer request. For more information, see [Add CloudFront request headers](adding-cloudfront-headers.md).

**Topics**
+ [

# Understand origin request policies
](origin-request-understand-origin-request-policy.md)
+ [

# Create origin request policies
](origin-request-create-origin-request-policy.md)
+ [

# Use managed origin request policies
](using-managed-origin-request-policies.md)
+ [

# Add CloudFront request headers
](adding-cloudfront-headers.md)
+ [

# Understand how origin request policies and cache policies work together
](understanding-how-origin-request-policies-and-cache-policies-work-together.md)

# Understand origin request policies
<a name="origin-request-understand-origin-request-policy"></a>

CloudFront provides some predefined origin request policies, known as *managed policies*, for common use cases. You can use these managed policies, or you can create your own origin request policy that's specific to your needs. For more information about the managed policies, see [Use managed origin request policies](using-managed-origin-request-policies.md).

An origin request policy contains the following settings, which are categorized into *policy information* and *origin request settings*.

## Policy information
<a name="origin-request-understand-origin-request-policy-info"></a>

**Name**  
A name to identify the origin request policy. In the console, you use the name to attach the origin request policy to a cache behavior.

**Description**  
A comment to describe the origin request policy. This is optional.

## Origin request settings
<a name="origin-request-understand-origin-request-policy-settings"></a>

Origin request settings specify the values in viewer requests that are included in requests that CloudFront sends to the origin (known as origin requests). The values can include URL query strings, HTTP headers, and cookies. The values that you specify are included in origin requests, but are not included in the cache key. For information about controlling the cache key, see [Control the cache key with a policy](controlling-the-cache-key.md).

**Headers**  
The HTTP headers in viewer requests that CloudFront includes in origin requests. For headers, you can choose one of the following settings:  
+ **None** – The HTTP headers in viewer requests are *not* included in origin requests.
+ **All viewer headers** – All HTTP headers in viewer requests are included in origin requests.
+ **All viewer headers and the following CloudFront headers** – All HTTP headers in viewer requests are included in origin requests. Additionally, you specify which of the CloudFront headers you want to add to origin requests. For more information about the CloudFront headers, see [Add CloudFront request headers](adding-cloudfront-headers.md).
+ **Include the following headers** – You specify which HTTP headers are included in origin requests.
**Note**  
Do not specify a header that is already included in your **Origin Custom Headers** settings. For more information, see [Configure CloudFront to add custom headers to origin requests](add-origin-custom-headers.md#add-origin-custom-headers-configure).
+ **All viewer headers except** – You specify which HTTP headers are ***not*** included in origin requests. All other HTTP headers in viewer requests, except for the ones specified, are included.
When you use the **All viewer headers and the following CloudFront headers**, **Include the following headers**, or **All viewer headers except** setting, you specify HTTP headers by the header name only. CloudFront includes the full header, including its value, in origin requests.  
When you use the **All viewer headers except** setting to remove the viewer's `Host` header, CloudFront adds a new `Host` header with the origin's domain name to the origin request.

**Cookies**  
The cookies in viewer requests that CloudFront includes in origin requests. For cookies, you can choose one of the following settings:  
+ **None** – The cookies in viewer requests are *not* included in origin requests.
+ **All** – All cookies in viewer requests are included in origin requests.
+ **Include the following cookies** – You specify which cookies in viewer requests are included in origin requests.
+ **All cookies except** – You specify which cookies in viewer requests are ***not*** included in origin requests. All other cookies in viewer requests are included.
When you use the **Include the following cookies** or **All cookies except** setting, you specify cookies by their name only. CloudFront includes the full cookie, including its value, in origin requests.

**Query strings**  
The URL query strings in viewer requests that CloudFront includes in origin requests. For query strings, you can choose one of the following settings:  
+ **None** – The query strings in viewer requests are *not* included in origin requests.
+ **All** – All query strings in viewer requests are included in origin requests.
+ **Include the following query strings** – You specify which query strings in viewer requests are included in origin requests.
+ **All query strings except** – You specify which query strings in viewer requests are ***not*** included in origin requests. All other query strings are included.
When you use the **Include the following query strings** or **All query strings except** setting, you specify query strings by their name only. CloudFront includes the full query string, including its value, in origin requests.

# Create origin request policies
<a name="origin-request-create-origin-request-policy"></a>

You can use an origin request policy to control the values (URL query strings, HTTP headers, and cookies) that are included in requests that CloudFront sends to your origin. You can create an origin request policy in the CloudFront console, with the AWS Command Line Interface (AWS CLI), or with the CloudFront API.

After you create an origin request policy, you attach it to one or more cache behaviors in a CloudFront distribution.

Origin request policies are not required. When a cache behavior does not have an origin request policy attached, the origin request includes all the values that are specified in the [cache policy](cache-key-understand-cache-policy.md), but nothing more.

**Note**  
To use an origin request policy, the cache behavior must also use a [cache policy](controlling-the-cache-key.md). You cannot use an origin request policy in a cache behavior without a cache policy.

------
#### [ Console ]

**To create an origin request policy (console)**

1. Sign in to the AWS Management Console and open the **Policies** page in the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home?#/policies](https://console.aws.amazon.com/cloudfront/v4/home?#/policies).

1. Choose **Origin request**, then choose **Create origin request policy**.

1. Choose the desired setting for this origin request policy. For more information, see [Understand origin request policies](origin-request-understand-origin-request-policy.md).

1. When finished, choose **Create**.

After you create an origin request policy, you can attach it to a cache behavior.

**To attach an origin request policy to an existing distribution (console)**

1. Open the **Distributions** page in the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home#/distributions](https://console.aws.amazon.com/cloudfront/v4/home#/distributions).

1. Choose the distribution to update, then choose the **Behaviors** tab.

1. Choose the cache behavior to update, then choose **Edit**.

   Or, to create a new cache behavior, choose **Create behavior**.

1. In the **Cache key and origin requests** section, make sure that **Cache policy and origin request policy** is chosen.

1. For **Origin request policy**, choose the origin request policy to attach to this cache behavior.

1. At the bottom of the page, choose **Save changes**.

**To attach an origin request policy to a new distribution (console)**

1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).

1. Choose **Create distribution**.

1. In the **Cache key and origin requests** section, make sure that **Cache policy and origin request policy** is chosen.

1. For **Origin request policy**, choose the origin request policy to attach to this distribution's default cache behavior.

1. Choose the desired settings for the origin, default cache behavior, and other distribution settings. For more information, see [All distribution settings reference](distribution-web-values-specify.md).

1. When finished, choose **Create distribution**.

------
#### [ CLI ]

To create an origin request policy with the AWS Command Line Interface (AWS CLI), use the **aws cloudfront create-origin-request-policy** command. You can use an input file to provide the command's input parameters, rather than specifying each individual parameter as command line input.

**To create an origin request policy (CLI with input file)**

1. Use the following command to create a file named `origin-request-policy.yaml` that contains all of the input parameters for the **create-origin-request-policy** command.

   ```
   aws cloudfront create-origin-request-policy --generate-cli-skeleton yaml-input > origin-request-policy.yaml
   ```

1. Open the file named `origin-request-policy.yaml` that you just created. Edit the file to specify the origin request policy settings that you want, then save the file. You can remove optional fields from the file, but don't remove the required fields.

   For more information about the origin request policy settings, see [Understand origin request policies](origin-request-understand-origin-request-policy.md).

1. Use the following command to create the origin request policy using input parameters from the `origin-request-policy.yaml` file.

   ```
   aws cloudfront create-origin-request-policy --cli-input-yaml file://origin-request-policy.yaml
   ```

   Make note of the `Id` value in the command's output. This is the origin request policy ID, and you need it to attach the origin request policy to a CloudFront distribution's cache behavior.

**To attach an origin request policy to an existing distribution (CLI with input file)**

1. Use the following command to save the distribution configuration for the CloudFront distribution that you want to update. Replace *distribution\$1ID* with the distribution's ID.

   ```
   aws cloudfront get-distribution-config --id distribution_ID --output yaml > dist-config.yaml
   ```

1. Open the file named `dist-config.yaml` that you just created. Edit the file, making the following changes to each cache behavior that you are updating to use an origin request policy.
   + In the cache behavior, add a field named `OriginRequestPolicyId`. For the field's value, use the origin request policy ID that you noted after creating the policy.
   + Rename the `ETag` field to `IfMatch`, but don't change the field's value.

   Save the file when finished.

1. Use the following command to update the distribution to use the origin request policy. Replace *distribution\$1ID* with the distribution's ID.

   ```
   aws cloudfront update-distribution --id distribution_ID --cli-input-yaml file://dist-config.yaml
   ```

**To attach an origin request policy to a new distribution (CLI with input file)**

1. Use the following command to create a file named `distribution.yaml` that contains all of the input parameters for the **create-distribution** command.

   ```
   aws cloudfront create-distribution --generate-cli-skeleton yaml-input > distribution.yaml
   ```

1. Open the file named `distribution.yaml` that you just created. In the default cache behavior, in the `OriginRequestPolicyId` field, enter the origin request policy ID that you noted after creating the policy. Continue editing the file to specify the distribution settings that you want, then save the file when finished.

   For more information about the distribution settings, see [All distribution settings reference](distribution-web-values-specify.md).

1. Use the following command to create the distribution using input parameters from the `distribution.yaml` file.

   ```
   aws cloudfront create-distribution --cli-input-yaml file://distribution.yaml
   ```

------
#### [ API ]

To create an origin request policy with the CloudFront API, use [CreateOriginRequestPolicy](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateOriginRequestPolicy.html). For more information about the fields that you specify in this API call, see [Understand origin request policies](origin-request-understand-origin-request-policy.md) and the API reference documentation for your AWS SDK or other API client.

After you create an origin request policy, you can attach it to a cache behavior, using one of the following API calls:
+ To attach it to a cache behavior in an existing distribution, use [UpdateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html).
+ To attach it to a cache behavior in a new distribution, use [CreateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistribution.html).

For both of these API calls, provide the origin request policy's ID in the `OriginRequestPolicyId` field, inside a cache behavior. For more information about the other fields that you specify in these API calls, see [All distribution settings reference](distribution-web-values-specify.md) and the API reference documentation for your AWS SDK or other API client.

------

# Use managed origin request policies
<a name="using-managed-origin-request-policies"></a>

CloudFront provides a set of managed origin request policies that you can attach to any of your distribution's cache behaviors. With a managed origin request policy, you don't need to write or maintain your own origin request policy. The managed policies use settings that are optimized for specific use cases.

To use a managed origin request policy, you attach it to a cache behavior in your distribution. The process is the same as when you create an origin request policy, but instead of creating a new one, you just attach one of the managed origin request policies. You attach the policy either by name (with the console) or by ID (with the AWS CLI or SDKs). The names and IDs are listed in the following section.

For more information, see [Create origin request policies](origin-request-create-origin-request-policy.md).

The following topics describe the managed origin request policies that you can use.

**Topics**
+ [

## AllViewer
](#managed-origin-request-policy-all-viewer)
+ [

## AllViewerAndCloudFrontHeaders-2022-06
](#managed-origin-request-policy-all-viewer-and-cloudfront)
+ [

## AllViewerExceptHostHeader
](#managed-origin-request-policy-all-viewer-except-host-header)
+ [

## CORS-CustomOrigin
](#managed-origin-request-policy-cors-custom)
+ [

## CORS-S3Origin
](#managed-origin-request-policy-cors-s3)
+ [

## Elemental-MediaTailor-PersonalizedManifests
](#managed-origin-request-policy-mediatailor)
+ [

## HostHeaderOnly
](#managed-origin-request-policy-host-header-only)
+ [

## UserAgentRefererHeaders
](#managed-origin-request-policy-user-agent-referer)

## AllViewer
<a name="managed-origin-request-policy-all-viewer"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/216adef6-5c7f-47e4-b989-5492eafa07d3)

This policy includes all values (headers, cookies, and query strings) from the viewer request.

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`216adef6-5c7f-47e4-b989-5492eafa07d3`

This policy has the following settings:
+ **Headers included in origin requests:** All headers in the viewer request
+ **Cookies included in origin requests:** All
+ **Query strings included in origin requests:** All

## AllViewerAndCloudFrontHeaders-2022-06
<a name="managed-origin-request-policy-all-viewer-and-cloudfront"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/33f36d7e-f396-46d9-90e0-52428a34d9dc)

This policy includes all values (headers, cookies, and query strings) from the viewer request, and all [CloudFront headers](adding-cloudfront-headers.md) that were released through June 2022 (CloudFront headers released after June 2022 are not included).

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`33f36d7e-f396-46d9-90e0-52428a34d9dc`

This policy has the following settings:
+ **Headers included in origin requests:** All headers in the viewer request, and the following CloudFront headers:
  + `CloudFront-Forwarded-Proto`
  + `CloudFront-Is-Android-Viewer`
  + `CloudFront-Is-Desktop-Viewer`
  + `CloudFront-Is-IOS-Viewer`
  + `CloudFront-Is-Mobile-Viewer`
  + `CloudFront-Is-SmartTV-Viewer`
  + `CloudFront-Is-Tablet-Viewer`
  + `CloudFront-Viewer-Address`
  + `CloudFront-Viewer-ASN`
  + `CloudFront-Viewer-City`
  + `CloudFront-Viewer-Country`
  + `CloudFront-Viewer-Country-Name`
  + `CloudFront-Viewer-Country-Region`
  + `CloudFront-Viewer-Country-Region-Name`
  + `CloudFront-Viewer-Http-Version`
  + `CloudFront-Viewer-Latitude`
  + `CloudFront-Viewer-Longitude`
  + `CloudFront-Viewer-Metro-Code`
  + `CloudFront-Viewer-Postal-Code`
  + `CloudFront-Viewer-Time-Zone`
  + `CloudFront-Viewer-TLS`
+ **Cookies included in origin requests:** All
+ **Query strings included in origin requests:** All

## AllViewerExceptHostHeader
<a name="managed-origin-request-policy-all-viewer-except-host-header"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/b689b0a8-53d0-40ab-baf2-68738e2966ac)

This policy does ***not*** include the `Host` header from the viewer request, but does include all others values (headers, cookies, and query strings) from the viewer request.

This policy also includes additional [CloudFront request headers](adding-cloudfront-headers.md) for HTTP protocol, HTTP version, TLS version, and all device type and viewer location headers.

This policy is intended for use with Amazon API Gateway and AWS Lambda function URL origins. These origins expect the `Host` header to contain the origin domain name, not the domain name of the CloudFront distribution. Forwarding the `Host` header from the viewer request to these origins can prevent them from working.

**Note**  
When you use this managed origin request policy to remove the viewer's `Host` header, CloudFront adds a new `Host` header with the origin's domain name to the origin request.

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`b689b0a8-53d0-40ab-baf2-68738e2966ac`

This policy has the following settings:
+ **Headers included in origin requests:** All headers in the viewer request ***except*** for the `Host` header
+ **Cookies included in origin requests:** All
+ **Query strings included in origin requests:** All

## CORS-CustomOrigin
<a name="managed-origin-request-policy-cors-custom"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/59781a5b-3903-41f3-afcb-af62929ccde1)

This policy includes the header that enables cross-origin resource sharing (CORS) requests when the origin is a custom origin.

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`59781a5b-3903-41f3-afcb-af62929ccde1`

This policy has the following settings:
+ **Headers included in origin requests:**
  + `Origin`
+ **Cookies included in origin requests:** None
+ **Query strings included in origin requests:** None

## CORS-S3Origin
<a name="managed-origin-request-policy-cors-s3"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/88a5eaf4-2fd4-4709-b370-b4c650ea3fcf)

This policy includes the headers that enable cross-origin resource sharing (CORS) requests when the origin is an Amazon S3 bucket.

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`88a5eaf4-2fd4-4709-b370-b4c650ea3fcf`

This policy has the following settings:
+ **Headers included in origin requests:**
  + `Origin`
  + `Access-Control-Request-Headers`
  + `Access-Control-Request-Method`
+ **Cookies included in origin requests:** None
+ **Query strings included in origin requests:** None

## Elemental-MediaTailor-PersonalizedManifests
<a name="managed-origin-request-policy-mediatailor"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/775133bc-15f2-49f9-abea-afb2e0bf67d2)

This policy is intended for use with an origin that is an AWS Elemental MediaTailor endpoint.

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`775133bc-15f2-49f9-abea-afb2e0bf67d2`

This policy has the following settings:
+ **Headers included in origin requests:**
  + `Origin`
  + `Access-Control-Request-Headers`
  + `Access-Control-Request-Method`
  + `User-Agent`
  + `X-Forwarded-For`
+ **Cookies included in origin requests:** None
+ **Query strings included in origin requests:** All

## HostHeaderOnly
<a name="managed-origin-request-policy-host-header-only"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/bf0718e1-ba1e-49d1-88b1-f726733018ae)

This policy includes only the `Host` header from the origin request. It doesn't include any query strings or cookies.

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`bf0718e1-ba1e-49d1-88b1-f726733018ae`

This policy has the following settings:
+ **Headers included in origin requests:** Host
+ **Cookies included in origin requests:** None
+ **Query strings included in origin requests:** None

## UserAgentRefererHeaders
<a name="managed-origin-request-policy-user-agent-referer"></a>

[View this policy in the CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home#/policies/origin/acba4595-bd28-49b8-b9fe-13317c0390fa)

This policy includes only the `User-Agent` and `Referer` headers. It doesn't include any query strings or cookies.

When using CloudFormation, the AWS CLI, or the CloudFront API, the ID for this policy is:

`acba4595-bd28-49b8-b9fe-13317c0390fa`

This policy has the following settings:
+ **Headers included in origin requests:**
  + `User-Agent`
  + `Referer`
+ **Cookies included in origin requests:** None
+ **Query strings included in origin requests:** None

# Add CloudFront request headers
<a name="adding-cloudfront-headers"></a>

You can configure CloudFront to add specific HTTP headers to the requests that CloudFront receives from viewers and forwards on to your origin or [edge function](edge-functions.md). The values of these HTTP headers are based on characteristics of the viewer or the viewer request. The headers provide information about the viewer's device type, IP address, geographic location, request protocol (HTTP or HTTPS), HTTP version, TLS connection details, [JA3 fingerprint](https://github.com/salesforce/ja3), and JA4 fingerprint. You can also configure your distribution's cache behavior to forward WebSocket headers. For more information, see [Use WebSockets with CloudFront distributions](distribution-working-with.websockets.md).

With these headers, your origin or your edge function can receive information about the viewer without the need for you to write your own code to determine this information. If your origin returns different responses based on the information in these headers, you can include them in the *cache key* so that CloudFront caches the responses separately. For example, your origin might respond with content in a specific language based on the country that the viewer is in, or with content tailored to a specific device type. Your origin might also write these headers to log files, which you can use to determine information about where your viewers are, which device types they're on, and more.

To include these headers in the cache key, use a *cache policy*. For more information, see [Control the cache key with a policy](controlling-the-cache-key.md) and [Understand the cache key](understanding-the-cache-key.md).

To receive these headers at your origin but not include them in the cache key, use an *origin request policy*. For more information, see [Control origin requests with a policy](controlling-origin-requests.md).

**Topics**
+ [

## Device type headers
](#cloudfront-headers-device-type)
+ [

## Viewer location headers
](#cloudfront-headers-viewer-location)
+ [

## Headers to determine the viewer's header structure
](#cloudfront-headers-viewer-headers)
+ [

## TLS-related headers
](#tls-related-versions)
+ [

## Other CloudFront headers
](#cloudfront-headers-other)

## Device type headers
<a name="cloudfront-headers-device-type"></a>

You can add the following headers to determine the viewer's device type. Based on the value of the `User-Agent` header, CloudFront sets the value of these headers to `true` or `false`. If a device falls into more than one category, more than one value can be `true`. For example, for some tablet devices, CloudFront sets both `CloudFront-Is-Mobile-Viewer` and `CloudFront-Is-Tablet-Viewer` to `true`.
+ `CloudFront-Is-Android-Viewer` – Set to `true` when CloudFront determines that the viewer is a device with the Android operating system.
+ `CloudFront-Is-Desktop-Viewer` – Set to `true` when CloudFront determines that the viewer is a desktop device.
+ `CloudFront-Is-IOS-Viewer` – Set to `true` when CloudFront determines that the viewer is a device with an Apple mobile operating system, such as iPhone, iPod touch, and some iPad devices.
+ `CloudFront-Is-Mobile-Viewer` – Set to `true` when CloudFront determines that the viewer is a mobile device.
+ `CloudFront-Is-SmartTV-Viewer` – Set to `true` when CloudFront determines that the viewer is a smart TV.
+ `CloudFront-Is-Tablet-Viewer` – Set to `true` when CloudFront determines that the viewer is a tablet.

## Viewer location headers
<a name="cloudfront-headers-viewer-location"></a>

You can add the following headers to determine the viewer's location. CloudFront determines the values for these headers based on the viewer's IP address. For non-ASCII characters in these headers' values, CloudFront percent-encodes the character according to [section 1.2 of RFC 3986](https://tools.ietf.org/html/rfc3986#section-2.1).
+ `CloudFront-Viewer-Address` – Contains the IP address of the viewer and the source port of the request. For example, a header value of `198.51.100.10:46532` means the viewer's IP address is 198.51.100.10 and the request source port is 46532.
+ `CloudFront-Viewer-ASN` – Contains the autonomous system number (ASN) of the viewer.
**Note**  
`CloudFront-Viewer-Address` and `CloudFront-Viewer-ASN` can be added in an origin request policy, but not in a cache policy.
+ `CloudFront-Viewer-Country` – Contains the two-letter country code for the viewer's country. For a list of country codes, see [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).
+ `CloudFront-Viewer-City` – Contains the name of the viewer's city.

When you add the following headers, CloudFront applies them to all requests *except* those that originate from the AWS network:
+ `CloudFront-Viewer-Country-Name` – Contains the name of the viewer's country.
+ `CloudFront-Viewer-Country-Region` – Contains a code (up to three characters) that represent the viewer's region. The region is the first-level subdivision (the broadest or least specific) of the [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) code.
+ `CloudFront-Viewer-Country-Region-Name` – Contains the name of the viewer's region. The region is the first-level subdivision (the broadest or least specific) of the [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) code.
+ `CloudFront-Viewer-Latitude` – Contains the viewer's approximate latitude.
+ `CloudFront-Viewer-Longitude` – Contains the viewer's approximate longitude.
+ `CloudFront-Viewer-Metro-Code` – Contains the viewer's metro code. This is present only when the viewer is in the United States.
+ `CloudFront-Viewer-Postal-Code` – Contains the viewer's postal code.
+ `CloudFront-Viewer-Time-Zone` Contains the viewer's time zone, in [IANA time zone database format](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) (for example, `America/Los_Angeles`).

**Note**  
`CloudFront-Viewer-City`, `CloudFront-Viewer-Metro-Code`, and `CloudFront-Viewer-Postal-Code` might not be available for every IP address. Some IP addresses can't be geolocated with enough specificity to get that information.

## Headers to determine the viewer's header structure
<a name="cloudfront-headers-viewer-headers"></a>

You can add the following headers to help identify the viewer based on the headers that it sends. For example, different browsers may send HTTP headers in a certain order. If the browser specified in the `User-Agent` header doesn’t match that browser’s expected header order, you can deny the request. Additionally, if the `CloudFront-Viewer-Header-Count` value does not match the number of headers in `CloudFront-Viewer-Header-Order`, you can deny the request.
+ `CloudFront-Viewer-Header-Order` – Contains the viewer's header names in the order requested, separated by a colon. For example: `CloudFront-Viewer-Header-Order: Host:User-Agent:Accept:Accept-Encoding`. Headers beyond the character limit of 7,680 are truncated.
+ `CloudFront-Viewer-Header-Count` – Contains the total number of the viewer's headers.

## TLS-related headers
<a name="tls-related-versions"></a>

You can add the following headers to determine the viewer's JA3 fingerprint, JA4 fingerprint, and TLS connection details:
+ `CloudFront-Viewer-JA3-Fingerprint` – Contains the [JA3 fingerprint](https://github.com/salesforce/ja3) of the viewer. The JA3 fingerprint can help you determine whether the request comes from a known client, whether that's malware or a malicious bot, or an expected (allow-listed) application. 
+ `CloudFront-Viewer-JA4-Fingerprint` – Contains the JA4 fingerprint of the viewer. Similar to the JA3 fingerprint, the [JA4 fingerprint](https://github.com/FoxIO-LLC/ja4) can help you determine whether the request comes from a known client, whether that's malware or a malicious bot, or an expected (allow-listed) application. You can use the fingerprint to build a database of known good and bad actors to apply when inspecting HTTP requests. You can then inspect the header value on your application web servers or in your [Lambda@Edge](lambda-at-the-edge.md) and [CloudFront Functions](cloudfront-functions.md) to compare the header value against a list of known malware fingerprints to block malicious clients.
+ `CloudFront-Viewer-TLS` – Contains the SSL/TLS version, the cipher, and information about the SSL/TLS handshake that was used for the connection between the viewer and CloudFront. The header value is in the following format:

  ```
  SSL/TLS_version:cipher:handshake_information
  ```

  For `handshake_information`, the header can contain the following values:
  + `fullHandshake` – A full handshake was performed for the SSL/TLS session.
  + `sessionResumed` – A previous SSL/TLS session was resumed.
  + `connectionReused` – A previous SSL/TLS connection was reused.

  The following are some example values for this header:

  ```
  TLSv1.3:TLS_AES_128_GCM_SHA256:sessionResumed
  ```

  ```
  TLSv1.2:ECDHE-ECDSA-AES128-GCM-SHA256:connectionReused
  ```

  ```
  TLSv1.1:ECDHE-RSA-AES128-SHA256:fullHandshake
  ```

  ```
  TLSv1:ECDHE-RSA-AES256-SHA:fullHandshake
  ```

  For the full list of possible SSL/TLS versions and ciphers that can be in this header value, see [Supported protocols and ciphers between viewers and CloudFront](secure-connections-supported-viewer-protocols-ciphers.md).

**Notes**  
The JA3 and JA4 fingerprints are derived from the SSL/TLS `Client Hello` packet. They are only present for HTTPS requests.
For these TLS-related headers, you can add them to a [origin request policy](controlling-origin-requests.md), but not in a [cache policy](controlling-the-cache-key.md).

## Other CloudFront headers
<a name="cloudfront-headers-other"></a>

You can add the following headers to determine the viewer's original request URI, original request query string parameters and values, protocol, and version:
+ `CloudFront-Error-Uri` – Contains the original request URI that was received from the viewer.
+ `CloudFront-Error-Args` – Contains the original request query string parameters and values.
+ `CloudFront-Forwarded-Proto` – Contains the protocol of the viewer's request (HTTP or HTTPS).
+ `CloudFront-Viewer-Http-Version` – Contains the HTTP version of the viewer's request.

# Understand how origin request policies and cache policies work together
<a name="understanding-how-origin-request-policies-and-cache-policies-work-together"></a>

You can use a CloudFront [origin request policy](controlling-origin-requests.md) to control the requests that CloudFront sends to the origin, which are called *origin requests*. To use an origin request policy, you must attach a [cache policy](controlling-the-cache-key.md) to the same cache behavior. You cannot use an origin request policy in a cache behavior without a cache policy. For more information, see [Control origin requests with a policy](controlling-origin-requests.md).

Origin request policies and cache policies work together to determine the values that CloudFront includes in origin requests. All URL query strings, HTTP headers, and cookies that you specify in the cache key (using a cache policy) are automatically included in origin requests. Any additional query strings, headers, and cookies that you specify in an origin request policy are also included in origin requests (but not in the cache key).

Origin request policies and cache policies have settings that might appear to conflict with each other. For example, one policy might allow certain values while another policy blocks them. The following table explains which values CloudFront includes in origin requests when you use the settings of an origin request policy and a cache policy together. These settings generally apply to all types of values (query strings, headers, and cookies), with the exception that you cannot specify all headers or use a header block list in a cache policy.


|  |  **Origin request policy**  |  |  **None**  |  **All**  |  **Allow list**  |  **Block list**  | 
| --- | --- | --- | --- | --- | --- | --- | 
|  **Cache policy**  | 
|  **None**  |  No values from the viewer request are included in the origin request, except for the defaults that are included in every origin request. For more information, see [Control origin requests with a policy](controlling-origin-requests.md).  |  All values from the viewer request are included in the origin request.  |  Only the values specified in the origin request policy are included in the origin request.  |  All values from the viewer request ***except*** those specified in the origin request policy are included in the origin request.  | 
|  **All** **Note:** You cannot specify all headers in a cache policy.  |  All query strings and cookies from the viewer request are included in the origin request.  |  All values from the viewer request are included in the origin request.  |  All query strings and cookies from the viewer request, and any headers specified in the origin request policy, are included in the origin request.  |  All query strings and cookies from the viewer request are included in the origin request, even those specified in the origin request policy block list. The cache policy setting overrides the origin request policy block list.  | 
|  **Allow list**  |  Only the specified values from the viewer request are included in the origin request.  |  All values from the viewer request are included in the origin request.  |  All values specified in the cache policy or the origin request policy are included in the origin request.  |  The values specified in the cache policy are included in the origin request, even if those same values are specified in the origin request policy block list. The cache policy allow list overrides the origin request policy block list.  | 
|  **Block list** **Note:** You cannot specify headers in a cache policy block list.  |  All query strings and cookies from the viewer request ***except*** those specified are included in the origin request.  |  All values from the viewer request are included in the origin request.  |  The values specified in the origin request policy are included in the origin request, even if those same values are specified in the cache policy block list. The origin request policy allow list overrides the cache policy block list.  |  All values from the viewer request ***except*** those specified in the cache policy or the origin request policy are included in the origin request.  |