Cloudfront and Lambda@Edge: Remove response header


I am trying to remove some headers from a Cloudfront response using Lambda@Edge on the ViewerResponse event. The origin is an S3 bucket.

I have been successful to change the header like this:

exports.handler = (event, context, callback) => { const response = event.Records[0].cf.response; response.headers.server = [{'key': 'server', 'value': 'bunny'}]; callback(null, response); };

However it does not seem to work to remove headers all together, e.g. like this.

exports.handler = (event, context, callback) => { const response = event.Records[0].cf.response; delete response.headers.server; // or response.header.server = null; // or response.headers.server = [{'key': 'server', 'value': null}]; callback(null, response); };

This snippet does not remove but changes the server header from server: AmazonS3 to server: CloudFront. So I assumed that maybe the server header is mandatory and gets populated automatically. But I also not have been able to remove other headers that are generated by CloudFront. In the lambda test pane, the function works as expected. So something is happening after the Lambda function finishes.

As a background, I would like to change the headers because the site gets blocked in an important client's network with the message that it was an online storage-or-backup location.

What am I missing?


Unfortunately, CloudFront does not currently support this as per AWS support:


It is not possible to completely remove the Server Header, we can either set it to None or even if we try to delete the server header field altogether, CloudFront will add a 'Server:CloudFront' to the viewer response.


Since you mentioned a government agency, you might want to ask what policy they're following. Most of these are probably based on the CIS benchmarks for things like Apache, which generally have an “information leakage” goal such as this:


Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much "noise" being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful compromise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released.


The recommended advice I've seen has generally been something which allows a <em>generic</em> Server header in addition to removing it. For example, the Apache guide allows Server: Apache:


Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be Apache rather than details on modules and versions installed.


If you remove the Server header in your code, CloudFront adding its own header does not leak information about the backend server and does not give an attacker new information because they already know that they are connecting to a CloudFront IP address.



  • How to style text of submit button
  • How to play an AMR audio file?
  • The following exception was thrown by the web event provider 'EventLogProvider' [closed]
  • How to Convert String to DateTime in specified format?
  • javascript window.location do I need to escape?
  • Unable to sort the JTable by Date
  • composer self-update TransportException
  • Can't subscribe to Push notification
  • How to do multi-class image classification in keras?
  • How to install PHP pthreads in cpanel?
  • Multiple User Types In Django
  • Jenkins job DSL plugin - hidden parameter
  • Backing up data volume containers off machine
  • How to detect user changing sheet?
  • I don't get the e-mail using this code. What is the problem?
  • Is there a way to convert all existing table data to UTF8 collation?
  • Salesforce consuming XML and display data in Visualforce report
  • Microsoft bot framework webchat C#
  • Creating and managing two independent random number sequences
  • How to create wsdl from xsd
  • Calculate savings percentage for house down payment in 36 months
  • Bazel failed to include a external static library .a
  • Google Compute instance receiving email
  • Sorting Custom Listview Items Using Spinner Android
  • Could not resolve all files for configuration ':react-native-vector-icons:classpath'
  • Adding Dynamic Row and Data on Checkbox Click
  • Example of using Service Exists MSBuild task in Microsoft.Sdc.Tasks?
  • Implementation of timeout in LDAP
  • Circular Left Rotation Algorithm in C#
  • Javascript inside HTML import not affecting imported HTML
  • How to use Typescript with libraries like Ampersand.js that parse configs to build prototypes
  • Stop an element moving with padding on hover
  • ASP.NET MVC 2 actions for the same route?
  • I am consuming a WCF service that requires headers from a .NET 2 website. How can I programmatically
  • How to call jQuery function in HTML returned by AJAX
  • matrix multiplication apache pig
  • read part of h5 dataset python
  • Spring Boot fails to start
  • Unity3d lost directional light shadows after generate assetBundle (.unity3d file)
  • Grails - How to implement a foreign key relationship not using an id column?