Skip to content

Forward all viewer headers/cookies/query strings on uncached CloudFront routes#11697

Merged
nbudin merged 1 commit into
mainfrom
cloudfront-forward-all-viewer-headers
Jun 14, 2026
Merged

Forward all viewer headers/cookies/query strings on uncached CloudFront routes#11697
nbudin merged 1 commit into
mainfrom
cloudfront-forward-all-viewer-headers

Conversation

@nbudin

@nbudin nbudin commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replaces the two restrictive origin request policies (forward_host and forward_host_with_refresh_cookie) with a single forward_all policy using allViewer for headers, cookies, and query strings
  • Previously, User-Agent and all other viewer headers were stripped before reaching Rails, so Sentry events from server-side errors lacked browser/OS context
  • Cookies and query strings were also being stripped, which could affect session-based routes (e.g. Devise confirmation/password reset links) and Rails auth

Why no caching tradeoff

All affected behaviors use the no_cache cache policy (TTL=0), so there is nothing to protect — the restrictive whitelist had no benefit, only cost.

The og_shell cached behavior is unchanged and still uses its own restrictive policy, where the whitelist is load-bearing for cache hit rates.

Test plan

  • terraform plan shows the two old policies destroyed and one new policy created, with the four affected behaviors updated to reference the new policy
  • After apply, confirm Sentry events on Rails routes include browser context

🤖 Generated with Claude Code

@nbudin @claude
Forward all viewer headers/cookies/query strings on uncached CloudFro…
9a62928 
…nt routes

Replaces the overly-restrictive forward_host and forward_host_with_refresh_cookie
origin request policies (which only whitelisted the Host header) with a single
forward_all policy using allViewer for headers, cookies, and query strings.

Previously, headers like User-Agent were stripped before reaching Rails, so
Sentry events from server-side errors lacked browser context. Since all affected
behaviors use the no-cache cache policy (TTL=0), there is no caching tradeoff.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nbudin nbudin merged commit dbf384f into main Jun 14, 2026
15 checks passed
@nbudin nbudin deleted the cloudfront-forward-all-viewer-headers branch June 14, 2026 17:20
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Report: Only Changed Files listed

Package Base Coverage New Coverage Difference
Overall Coverage 🟢 53.79% 🟢 53.79% ⚪ 0%

Minimum allowed coverage is 0%, this run produced 53.79%

@nbudin nbudin mentioned this pull request Jun 14, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nbudin