-
-
Save daniel-nelson/5884463 to your computer and use it in GitHub Desktop.
| Request URL:http://d2l5dw7ow11yzt.cloudfront.net/339/254/0.5-0.5/assets/images/51b24a2054b709630c000024.jpg | |
| Response Headers: | |
| Age: 162 | |
| Cache-Control: public, must-revalidate, max-age=2592000 | |
| Connection: keep-alive | |
| Content-Disposition: inline | |
| Content-Length: 0 | |
| Content-Type: image/jpeg | |
| Date: Fri, 28 Jun 2013 11:28:58 GMT | |
| Server: nginx/1.2.3 + Phusion Passenger 3.0.11 (mod_rails/mod_rack) | |
| Status: 404 | |
| Via: 1.0 008f50a49148d5d680c8ef45e85b337f.cloudfront.net (CloudFront) | |
| X-Amz-Cf-Id: PbZOLZDUKHPiPWYk0fvn1522PVk0JUqRtRMDlHzZF7oexvOtwzGczA== | |
| X-Cache: Error from cloudfront | |
| X-Frame-Options: sameorigin | |
| X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11 | |
| X-Xss-Protection: 1; mode=block | |
| Request URL (same as above, made a little later):http://d2l5dw7ow11yzt.cloudfront.net/339/254/0.5-0.5/assets/images/51b24a2054b709630c000024.jpg | |
| Response Headers: | |
| Age: 1978 | |
| Cache-Control: public, must-revalidate, max-age=2592000 | |
| Connection: keep-alive | |
| Content-Disposition: inline | |
| Content-Length: 14593 | |
| Content-Type: image/jpeg | |
| Date: Fri, 28 Jun 2013 11:41:47 GMT | |
| Last-Modified: Fri, 28 Jun 2013 11:41:47 GMT | |
| Server: nginx/1.2.3 + Phusion Passenger 3.0.11 (mod_rails/mod_rack) | |
| Status: 200 | |
| Via: 1.0 776faa2c6e73220b01b70433c12232f0.cloudfront.net (CloudFront) | |
| X-Amz-Cf-Id: 8ZknWjGy6dn7lYE0yGhAokXrAgpRPWhDb9ZtrSS_IqSFuzl6ADPKHQ== | |
| X-Cache: Hit from cloudfront | |
| X-Frame-Options: sameorigin | |
| X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11 | |
| X-Xss-Protection: 1; mode=block | |
| An actual 404 returned by our server (eg, for http://d2l5dw7ow11yzt.cloudfront.net/339/254/0.5-0.5/assets/images/51b24a2054b709630c000025.jpg): | |
| Cache-Control: no-cache | |
| Connection: keep-alive | |
| Content-Length: 0 | |
| Content-Type: text/html;charset=utf-8 | |
| Server: nginx/1.2.3 + Phusion Passenger 3.0.11 (mod_rails/mod_rack) | |
| Status: 404 | |
| Via: 1.0 b321e5acbbacc5f8d3dc636a566d2e8d.cloudfront.net (CloudFront) | |
| X-Amz-Cf-Id: eZjgPhOCytic-3pONXfIY5VXiHQw3ewhlFlfKDIiai21fbdIq_NoOQ== | |
| X-Cache: Error from cloudfront | |
| X-Frame-Options: sameorigin | |
| X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11 | |
| X-XSS-Protection: 1; mode=block |
@daniel-nelson & @NoahKunin i'me curious about it how did you made it, or it have been an old setup in cloudfront
Can't get CloudFront to do X-Frame-Options still it seems. There is a Lambda@Edge they are testing, but no word on when that's production ready.
In this gist's case, it appears to have a Server: nginx/1.2.3 + Phusion Passenger 3.0.11 (mod_rails/mod_rack) - that is what is adding the X-Frame-Options header. Cloudfront will pass through headers from an origin server or whatnot, but S3 does not set headers like a server -- it is a storage system first.
Aggravating because the missing X-Frame-Options on a pure CloudFront-S3 system are causing a security scan to fail because of potential for Click Jacking attacks. Which in this case, on a purely informational site, it's a non-issue because there are no forms to process, no shared authentications, etc. Static files.
How did you get CloudFront to do X-Frame-Options?