Maciej Łopalewski
Maciej Łopalewski
Senior Software Engineer

AWS CloudFront Explained: How Cache, Origin, and Response Policies Supercharge Your CDN

Dec 31, 20256 min read

If you have configured Amazon CloudFront in the past, you might remember wrestling with "Cache Behaviors" - a monolithic setting where caching logic, origin forwarding, and header manipulation were all jumbled together.

Those days are over.

Modern CloudFront architecture uses a modular Policy System. This approach decouples caching (what is stored) from origin requests (what is sent to the backend) and response headers (security/CORS).

For DevOps engineers and cloud architects, understanding these three policy types is the key to building performant, secure, and scalable content delivery networks. This guide breaks down the ecosystem of CloudFront Managed Policies and helps you choose the right tools for the job.

What is CloudFront?

Before diving into policies, let’s ground ourselves in the basics. Amazon CloudFront is a global Content Delivery Network (CDN). Its primary job is to sit between your users and your infrastructure (the "Origin" - like an S3 bucket or an EC2 load balancer).

  • Latency: It serves content from "Edge Locations" physically closer to the user.
  • Security: It terminates TLS connections at the edge and blocks DDoS attacks.
  • Scale: It absorbs traffic spikes so your backend doesn't crash.

The Policy Trio: How They Work

In the modern CloudFront request flow, three distinct policies interact to process a user's request. Understanding the distinction between them is critical for avoiding common pitfalls like "cache misses" or CORS errors.

1. Cache Policy

Where it sits: At the very front of the flow. What it does: It determines the Cache Key.

When a user requests content, CloudFront uses this policy to decide if it already has a copy. It defines which headers, cookies, or query strings make a request "unique."

  • Strict policies = Higher cache hit ratio.
  • Loose policies = Lower cache hit ratio (more load on origin).

2. Origin Request Policy

Where it sits: Between CloudFront and your Backend (Origin). What it does: It determines what data is forwarded to the backend during a cache miss.

This is the most misunderstood policy. It allows you to send data (like user-specific cookies) to your backend without including that data in the Cache Key. This keeps your cache efficiency high while still giving your application the data it needs to process logic.

3. Response Headers Policy

Where it sits: On the way back to the user. What it does: It injects specific HTTP headers into the response.

Regardless of what your backend sends, this policy ensures the browser receives the correct Security (HSTS, XSS protection) and CORS headers.

Top Managed Policies: A Cheat Sheet

AWS maintains a library of "Managed Policies" that cover about 90% of use cases. Using these is a best practice - they are rigorously tested, updated by AWS, and require zero maintenance.

Here are the most essential managed policies for each category.

A. Managed Cache Policies

Control the Cache Key and TTL (Time To Live).

CachingOptimized

Best For: S3 Buckets, Static Websites, Images/Assets.

  • How it works: It ignores almost all headers and cookies. It aggressively caches content based solely on the URL path.
  • Why choose it: This provides the highest possible cache hit ratio. If your content doesn't change based on who is viewing it, use this.

CachingDisabled

Best For: Dynamic APIs, WebSockets, Real-time data.

  • How it works: It sets the Time-To-Live (TTL) to 0. Every request bypasses the cache and goes straight to the origin.
  • Why choose it: Essential for endpoints where data changes every second, or for write operations (POST/PUT) where caching would break functionality.

UseOriginCacheControlHeaders

Best For: CMS (WordPress/Drupal), Hybrid Apps.

  • How it works: It defers the decision to your server. It looks for Cache-Control headers sent by your backend to decide how long to store the file.
  • Why choose it: Perfect if you have a mix of static and dynamic content and want your application code, rather than CloudFront configuration, to control cache duration.

B. Managed Origin Request Policies

Control what the backend sees (without breaking the cache).

AllViewer

Best For: Legacy Applications, Complex Dynamic Apps.

  • How it works: Forwards everything - every header, every cookie, every query string - to the origin.
  • Why choose it: If your application relies on specific, obscure headers or client-side cookies to function, this ensures nothing is stripped out. Warning: This may expose internal origin details.

CORS-S3Origin

Best For: S3 Buckets serving assets to other domains.

  • How it works: Specifically whitelists the headers S3 requires to process CORS checks (Origin, Access-Control-Request-Method, etc.).
  • Why choose it: S3 handles CORS differently than a standard web server. Standard forwarding often fails with S3; this policy fixes those specific issues instantly.

UserAgentRefererHeaders

Best For: Analytics, Hotlink Protection.

  • How it works: It specifically forwards the User-Agent and Referer headers while stripping others.
  • Why choose it: If your backend needs to block requests from specific sites (hotlinking) or serve different content to mobile vs. desktop devices, but doesn't need full cookie visibility.

C. Managed Response Headers Policies

Control browser security and access.

SecurityHeadersPolicy

Best For: Everything. (Seriously, use this everywhere).

  • How it works: Automatically injects industry-standard security headers like:
    • Strict-Transport-Security (HSTS)
    • X-Frame-Options: DENY (prevents clickjacking)
    • X-Content-Type-Options: nosniff
  • Why choose it: It instantly hardens your application against common web attacks without requiring code changes on your server.

CORS-with-preflight-and-SecurityHeadersPolicy

Best For: Single Page Apps (React, Vue, Angular) calling APIs.

  • How it works: Combines the security headers above with a permissive CORS configuration. It handles the OPTIONS pre-flight requests that modern browsers send before making API calls.
  • Why choose it: It solves the dreaded "CORS Error" in browser consoles for modern web applications.

SimpleCORS

Best For: Public, read-only data feeds.

  • How it works: Adds Access-Control-Allow-Origin: * to the response.
  • Why choose it: If you are hosting public data (like a weather feed or public JSON file) that you want anyone to be able to use on their website, this is the quickest way to enable it.

Common CloudFront Misconfigurations and How Managed Policies Fix Them

Even experienced DevOps teams run into the same CloudFront issues over and over. Almost all of them trace back to legacy cache behaviors or overly customized settings. Here’s how CloudFront Managed Policies solve the most common problems.

1. “My cache hit ratio is terrible.”

  • Cause: Your Cache Key is too loose - it includes unnecessary headers, cookies, or query strings.
  • Symptom: Every request is seen as "unique," forcing a constant stream of cache misses.
  • The Fix: Use the CachingOptimized managed policy. It strips almost everything from the Cache Key, restoring high hit ratios - perfect for static assets, SPAs, and S3 origins.

2. “CloudFront keeps forwarding too many headers to my origin.”

  • Cause: Legacy behaviors often forward all headers by default.
  • Impact: Increased origin load, slower responses, and potential "Request Header Too Large" errors on the backend.
  • The Fix: Switch to an Origin Request Policy like UserAgentRefererHeaders or CORS-S3Origin. This ensures you forward only what your backend actually needs to function.

3. “I’m still getting CORS errors in the browser.”

  • Cause: Missing or inconsistent Access-Control-* headers.
  • The Fix: Apply the CORS-with-preflight-and-SecurityHeadersPolicy response policy. It handles OPTIONS preflight requests and injects all required CORS headers at the edge - even if your backend forgets them.

4. “S3 CORS works on localhost, but not in CloudFront.”

  • Cause: S3 requires specific headers to process CORS. If CloudFront strips them, S3 treats the request as standard and omits the CORS response headers.
  • The Fix: Use the CORS-S3Origin Origin Request Policy. This explicitly forwards Origin, Access-Control-Request-Method, and Access-Control-Request-Headers so S3 knows to respond correctly.

5. “My dynamic API is being cached when it shouldn’t be.”

  • Cause: Your API path (/api/*) is falling through to a default behavior that has caching enabled.
  • The Fix: Create a specific behavior for your API path and attach CachingDisabled. This guarantees every request bypasses the edge and reaches your application.

Summary

Moving to Managed Policies allows you to operate with "Intent-Based Configuration." Instead of tweaking individual settings, you select a policy that matches your architectural intent.

IntentRecommended Policy Combo
Static WebsiteCache: CachingOptimized
Origin Request: None (or CORS-S3Origin)
Response: SecurityHeadersPolicy
Dynamic APICache: CachingDisabled
Origin Request: AllViewer
Response: SimpleCORS
Modern Web App (SPA)Cache: CachingOptimized (for assets)
Origin Request: None
Response: CORS-with-preflight
RELATED POSTS
Paweł Sławacki
Paweł Sławacki
Managing Director

Geospatial Data Orchestration: Why Modern GIS Pipelines Require an Asset-Based Approach

Dec 24, 20256 min read
Article image
Daniel Kraszewski
Daniel Kraszewski
Head of Engineering

Forwarding Cookies Using CloudFront: A Workaround for AWS Cache Policy Limitations

Dec 17, 20254 min read
Article image
Bartłomiej Gałęzowski
Bartłomiej Gałęzowski
Senior Software Engineer

Modular architecture in Medusa 2.0 - how it works and what it offers developers?

Nov 30, 20254 min read
Article image