Package software.amazon.awscdk.services.cloudfront

Interface ResponseHeadersCorsBehavior

All Superinterfaces:
software.amazon.jsii.JsiiSerializable
All Known Implementing Classes:
ResponseHeadersCorsBehavior.Jsii$Proxy
@Generated(value="jsii-pacmak/1.116.0 (build 0eddcff)", date="2025-10-29T11:15:34.382Z") @Stability(Stable) public interface ResponseHeadersCorsBehavior extends software.amazon.jsii.JsiiSerializable
Configuration for a set of HTTP response headers that are used for cross-origin resource sharing (CORS).

CloudFront adds these headers to HTTP responses that it sends for CORS requests that match a cache behavior associated with this response headers policy.

Example: 

 // Using an existing managed response headers policy
 S3Origin bucketOrigin;
 Distribution.Builder.create(this, "myDistManagedPolicy")
         .defaultBehavior(BehaviorOptions.builder()
                 .origin(bucketOrigin)
                 .responseHeadersPolicy(ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS)
                 .build())
         .build();
 // Creating a custom response headers policy -- all parameters optional
 ResponseHeadersPolicy myResponseHeadersPolicy = ResponseHeadersPolicy.Builder.create(this, "ResponseHeadersPolicy")
         .responseHeadersPolicyName("MyPolicy")
         .comment("A default policy")
         .corsBehavior(ResponseHeadersCorsBehavior.builder()
                 .accessControlAllowCredentials(false)
                 .accessControlAllowHeaders(List.of("X-Custom-Header-1", "X-Custom-Header-2"))
                 .accessControlAllowMethods(List.of("GET", "POST"))
                 .accessControlAllowOrigins(List.of("*"))
                 .accessControlExposeHeaders(List.of("X-Custom-Header-1", "X-Custom-Header-2"))
                 .accessControlMaxAge(Duration.seconds(600))
                 .originOverride(true)
                 .build())
         .customHeadersBehavior(ResponseCustomHeadersBehavior.builder()
                 .customHeaders(List.of(ResponseCustomHeader.builder().header("X-Amz-Date").value("some-value").override(true).build(), ResponseCustomHeader.builder().header("X-Amz-Security-Token").value("some-value").override(false).build()))
                 .build())
         .securityHeadersBehavior(ResponseSecurityHeadersBehavior.builder()
                 .contentSecurityPolicy(ResponseHeadersContentSecurityPolicy.builder().contentSecurityPolicy("default-src https:;").override(true).build())
                 .contentTypeOptions(ResponseHeadersContentTypeOptions.builder().override(true).build())
                 .frameOptions(ResponseHeadersFrameOptions.builder().frameOption(HeadersFrameOption.DENY).override(true).build())
                 .referrerPolicy(ResponseHeadersReferrerPolicy.builder().referrerPolicy(HeadersReferrerPolicy.NO_REFERRER).override(true).build())
                 .strictTransportSecurity(ResponseHeadersStrictTransportSecurity.builder().accessControlMaxAge(Duration.seconds(600)).includeSubdomains(true).override(true).build())
                 .xssProtection(ResponseHeadersXSSProtection.builder().protection(true).modeBlock(false).reportUri("https://example.com/csp-report").override(true).build())
                 .build())
         .removeHeaders(List.of("Server"))
         .serverTimingSamplingRate(50)
         .build();
 Distribution.Builder.create(this, "myDistCustomPolicy")
         .defaultBehavior(BehaviorOptions.builder()
                 .origin(bucketOrigin)
                 .responseHeadersPolicy(myResponseHeadersPolicy)
                 .build())
         .build();

  • Method Details

    • getAccessControlAllowCredentials

      @Stability(Stable) @NotNull Boolean getAccessControlAllowCredentials()
      A Boolean that CloudFront uses as the value for the Access-Control-Allow-Credentials HTTP response header.

    • getAccessControlAllowHeaders

      @Stability(Stable) @NotNull List<String> getAccessControlAllowHeaders()
      A list of HTTP header names that CloudFront includes as values for the Access-Control-Allow-Headers HTTP response header.

      You can specify ['*'] to allow all headers.

    • getAccessControlAllowMethods

      @Stability(Stable) @NotNull List<String> getAccessControlAllowMethods()
      A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header.

      Allowed methods: 'GET', 'DELETE', 'HEAD', 'OPTIONS', 'PATCH', 'POST', and 'PUT'. You can specify ['ALL'] to allow all methods.

    • getAccessControlAllowOrigins

      @Stability(Stable) @NotNull List<String> getAccessControlAllowOrigins()
      A list of origins (domain names) that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header.

      You can specify ['*'] to allow all origins.

    • getOriginOverride

      @Stability(Stable) @NotNull Boolean getOriginOverride()
      A Boolean that determines whether CloudFront overrides HTTP response headers received from the origin with the ones specified in this response headers policy.

    • getAccessControlExposeHeaders

      @Stability(Stable) @Nullable default List<String> getAccessControlExposeHeaders()
      A list of HTTP headers that CloudFront includes as values for the Access-Control-Expose-Headers HTTP response header.

      You can specify ['*'] to expose all headers.

      Default: - no headers exposed

    • getAccessControlMaxAge

      @Stability(Stable) @Nullable default Duration getAccessControlMaxAge()
      A number that CloudFront uses as the value for the Access-Control-Max-Age HTTP response header.

      Default: - no max age

    • builder

      @Stability(Stable) static ResponseHeadersCorsBehavior.Builder builder()
      Returns:
      a ResponseHeadersCorsBehavior.Builder of ResponseHeadersCorsBehavior