28

Is it possible to have custom headers on Amazon S3 with arbitrary naming?

For example, I am using a CDN pointing to Amazon S3 as the origin server, and in order to enable advanced functionality on the CDN I need to use a custom header x-something-something...

I see it's possible to do this with x-amz-meta-(something) but what about something more general like x-(something)-(something) without the amz?

Amazon S3 custom headers

Yves M.
  • 29,855
  • 23
  • 108
  • 144
Jeff
  • 2,778
  • 6
  • 23
  • 27

4 Answers4

18

This beautiful article explains it all: Serving custom headers from static sites on CloudFront/S3 with Lambda@Edge

tldr:

You can't—do it only with S3. You need to use CloudFront and Lambda via Lambda@Edge. It's an integration between Lambda and CloudFront. It allows you to run Lambdas within the CloudFront. This allows you to change headers among other things. So if you are ok accessing your S3 via CloudFront then this could be a viable option.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
aWebDeveloper
  • 36,687
  • 39
  • 170
  • 242
  • See also https://stackoverflow.com/questions/63203619/how-to-add-headers-to-cloudfront-response – Yves M. Mar 03 '21 at 17:43
  • 2
    Now we can do this using reponse header policy see https://stackoverflow.com/a/69985208/353241 – Sarath Nov 16 '21 at 10:45
15

I don't think it is possible with their current API. They cover the major headers you will need for caching and browser interoperability.

I think they are being safe in only allowing x-amz-meta- prefixed custom headers, possibly to keep from clashing with user selected headers when they update their api in the future.

If you need custom attributes attached to your objects, it should be trivial to parse out the x-amz-meta- in your client application.

Kekoa
  • 27,892
  • 14
  • 72
  • 91
  • 13
    "Trivial" if you control the client application... but if it is some third party, it's not so trivial! – Jeff Jun 22 '12 at 17:23
  • 1
    @Jeff I suppose if you don't access AWS directly you are beholden to the limitations of whatever you are using. – Kekoa Jun 22 '12 at 18:01
  • Thanks, I was wondering why I couldn't set custom headers on my own. The `x-amz-meta-`prefix did it indeed (a fact poorly documented by Amazon). – Frederic Sep 22 '14 at 15:19
  • 2
    I am using their static website hosting solution and i want to set X-Frame-Options. But now i can't, I need to think of some other solution – aWebDeveloper Mar 28 '17 at 09:38
2

Amazon now natively supports adding security headers.

Blog with information: Amazon CloudFront introduces Response Headers Policies

Documentation: create-response-headers-policy

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
aWebDeveloper
  • 36,687
  • 39
  • 170
  • 242
0

I was able to achieve this using the s3cmd tool. I wrote a sync script that syncs my static site using the --cache-control parameter on the AWS client tool and then manually resets it and adds a couple of other headers for a few specific files:

cd /appropriatedirectory

# Delete current site aws s3 rm s3://yourbucket --recursive --exclude 'logs/*'

# Upload new site, setting cache header to 1 month for all files aws s3 sync . s3://yourbucket --exclude '.idea/*' --exclude '.git/*' --exclude '.gitignore' --cache-control max-age=2592000

# Overrides the cache headers for some file python /pathToS3cmd/s3cmd modify --add-header="Cache-Control:no-cache,no-store,must-revalidate" s3://yourbucket/somefile.html python /pathToS3cmd/s3cmd/s3cmd modify --add-header="Expires:0" s3://yourbucket/somefile.html python /pathToS3cmd/s3cmd/s3cmd modify --add-header="Pragma:no-cache" s3://yourbucket/somefile.html

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Mike Wilklow
  • 108
  • 1
  • 7
  • This has some cruft in it for ignoring logs, IntelliJ, and Git files. I left it in as a hopefully helpful example of a practical sync script. – Mike Wilklow Sep 22 '17 at 18:38
  • 1
    Unfortunately, only a restricted set of headers is supported. Standard cache control related headers are supported though. https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html#RESTObjectPUT-requests – Konstantin Pelepelin Apr 18 '18 at 15:40