chore(cloudfront): add validation for configuring response headers policy (#35308)

badmintoncryer · web-flow · commit 8400b2b7d984 · 2025-09-01T19:09:58.000Z
### Issue # (if applicable) None ### Reason for this change When creating a `ResponseHeadersPolicy`, if we set `accessControlAllowCredentials` to true in the CORS configuration and include a string containing `*` in `accessControlAllowHeaders`, it causes a deployment error. I added validation to prevent this in advance. ```console 10:57:02 PM | CREATE_FAILED | AWS::CloudFront::ResponseHeadersPolicy | Dev-PriCo ach/MainS...ponseHeadersPolicy Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeade rsPolicy: The parameter Access-Control-Allow-Headers cannot contain * when allowCredentials is true. (Service: CloudFront, Status Code: 400, Request ID: 9298af67-dfb6-4ddc-9cd6-b301e8f eed3e) (SDK Attempt Count: 1)" (RequestToken: 2cbce7b6-8501-7bf8-aeb8-6781277473a0, HandlerE rrorCode: InvalidRequest) ``` ### Description of changes Add validation for `ResponseHeadersPolicy`. ### Describe any new or updated permissions being added None ### Description of how you validated changes Add unit test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts
@@ -144,6 +144,11 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
         throw new ValidationError(`accessControlAllowMethods contains unexpected method name; allowed values: ${allowedMethods.join(', ')}`, this);
       }
     });
+    withResolved(behavior.accessControlAllowHeaders, (headers) => {
+      if (behavior.accessControlAllowCredentials && headers.some(header => !Token.isUnresolved(header) && header.includes('*'))) {
+        throw new ValidationError('accessControlAllowHeaders cannot contain "*" or headers with "*" when accessControlAllowCredentials is true', this);
+      }
+    });
 
     return {
       accessControlAllowCredentials: behavior.accessControlAllowCredentials,
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts
@@ -205,5 +205,20 @@ describe('ResponseHeadersPolicy', () => {
         },
       })).toThrow(/accessControlAllowMethods contains unexpected method name/);
     });
+
+    test.each([
+      [['*']],
+      [['X-Custom-*', 'Authorization']],
+    ])('throws if accessControlAllowHeaders contains wildcard when accessControlAllowCredentials is true', (headers) => {
+      expect(() => new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+        corsBehavior: {
+          accessControlAllowCredentials: true,
+          accessControlAllowHeaders: headers,
+          accessControlAllowMethods: ['GET'],
+          accessControlAllowOrigins: ['https://example.com'],
+          originOverride: true,
+        },
+      })).toThrow('accessControlAllowHeaders cannot contain "*" or headers with "*" when accessControlAllowCredentials is true');
+    });
   });
 });
