feat(cloudfront): remove headers and server timing (#23558)

Allow to remove headers and configure server timing in response headers policies.


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: jogold

packages/@aws-cdk/aws-cloudfront/README.md

@@ -91,7 +91,7 @@ your domain name, and provide one (or more) domain names from the certificate fo
 
 The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
 may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
-from SNI only and a minimum protocol version of TLSv1.2_2021 if the `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021` feature flag is set, and TLSv1.2_2019 otherwise. 
+from SNI only and a minimum protocol version of TLSv1.2_2021 if the `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021` feature flag is set, and TLSv1.2_2019 otherwise.
 
 ```ts
 // To use your own domain name in a Distribution, you must associate a certificate
@@ -340,6 +340,8 @@ const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'Resp
     strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
     xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
   },
+  removeHeaders: ['Server'],
+  serverTimingSamplingRate: 50,
 });
 new cloudfront.Distribution(this, 'myDistCustomPolicy', {
   defaultBehavior: {
@@ -620,7 +622,7 @@ configuration properties have been changed:
 | `loggingConfig`                | `enableLogging`; configure with `logBucket` `logFilePrefix` and `logIncludesCookies`           |
 | `viewerProtocolPolicy`         | removed; set on each behavior instead. default changed from `REDIRECT_TO_HTTPS` to `ALLOW_ALL` |
 
-After switching constructs, you need to maintain the same logical ID for the underlying [CfnDistribution](https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-cloudfront.CfnDistribution.html) if you wish to avoid the deletion and recreation of your distribution. 
+After switching constructs, you need to maintain the same logical ID for the underlying [CfnDistribution](https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-cloudfront.CfnDistribution.html) if you wish to avoid the deletion and recreation of your distribution.
 To do this, use [escape hatches](https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html) to override the logical ID created by the new Distribution construct with the logical ID created by the old construct.
 
 Example:
@@ -776,7 +778,7 @@ new cloudfront.CloudFrontWebDistribution(this, 'MyCfWebDistribution', {
 });
 ```
 
-Becomes: 
+Becomes:
 
 ```ts
 declare const sourceBucket: s3.Bucket;
@@ -795,8 +797,8 @@ cfnDistribution.addPropertyOverride('ViewerCertificate.SslSupportMethod', 'sni-o
 
 ### Other changes
 
-A number of default settings have changed on the new API when creating a new distribution, behavior, and origin. 
-After making the major changes needed for the migration, run `cdk diff` to see what settings have changed. 
+A number of default settings have changed on the new API when creating a new distribution, behavior, and origin.
+After making the major changes needed for the migration, run `cdk diff` to see what settings have changed.
 If no changes are desired during migration, you will at the least be able to use [escape hatches](https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html) to override what the CDK synthesizes, if you can't change the properties directly.
 
 ## CloudFrontWebDistribution API
@@ -1002,7 +1004,7 @@ The following example command uses OpenSSL to generate an RSA key pair with a le
 openssl genrsa -out private_key.pem 2048
 ```
 
-The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and stores it in `public_key.pem`. 
+The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and stores it in `public_key.pem`.
 
 ```bash
 openssl rsa -pubout -in private_key.pem -out public_key.pem
@@ -1028,4 +1030,4 @@ new cloudfront.KeyGroup(this, 'MyKeyGroup', {
 See:
 
 * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
-* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html 
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html

packages/@aws-cdk/aws-cloudfront/lib/response-headers-policy.ts

@@ -1,4 +1,4 @@
-import { Duration, Names, Resource } from '@aws-cdk/core';
+import { Duration, Names, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnResponseHeadersPolicy } from './cloudfront.generated';
 
@@ -51,6 +51,22 @@ export interface ResponseHeadersPolicyProps {
    * @default - no security headers behavior
    */
   readonly securityHeadersBehavior?: ResponseSecurityHeadersBehavior;
+
+  /**
+   * A list of HTTP response headers that CloudFront removes from HTTP responses
+   * that it sends to viewers.
+   *
+   * @default - no headers are removed
+   */
+  readonly removeHeaders?: string[]
+
+  /**
+   * The percentage of responses that you want CloudFront to add the Server-Timing
+   * header to.
+   *
+   * @default - no Server-Timing header is added to HTTP responses
+   */
+  readonly serverTimingSamplingRate?: number;
 }
 
 /**
@@ -105,6 +121,8 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
         corsConfig: props.corsBehavior ? this._renderCorsConfig(props.corsBehavior) : undefined,
         customHeadersConfig: props.customHeadersBehavior ? this._renderCustomHeadersConfig(props.customHeadersBehavior) : undefined,
         securityHeadersConfig: props.securityHeadersBehavior ? this._renderSecurityHeadersConfig(props.securityHeadersBehavior) : undefined,
+        removeHeadersConfig: props.removeHeaders ? this._renderRemoveHeadersConfig(props.removeHeaders) : undefined,
+        serverTimingHeadersConfig: props.serverTimingSamplingRate ? this._renderServerTimingHeadersConfig(props.serverTimingSamplingRate) : undefined,
       },
     });
 
@@ -142,6 +160,36 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
       xssProtection: behavior.xssProtection,
     };
   }
+
+  private _renderRemoveHeadersConfig(headers: string[]): CfnResponseHeadersPolicy.RemoveHeadersConfigProperty {
+    const readonlyHeaders = ['content-encoding', 'content-length', 'transfer-encoding', 'warning', 'via'];
+
+    return {
+      items: headers.map(header => {
+        if (!Token.isUnresolved(header) && readonlyHeaders.includes(header.toLowerCase())) {
+          throw new Error(`Cannot remove read-only header ${header}`);
+        }
+        return { header };
+      }),
+    };
+  }
+
+  private _renderServerTimingHeadersConfig(samplingRate: number): CfnResponseHeadersPolicy.ServerTimingHeadersConfigProperty {
+    if (!Token.isUnresolved(samplingRate)) {
+      if ((samplingRate < 0 || samplingRate > 100)) {
+        throw new Error(`Sampling rate must be between 0 and 100 (inclusive), received ${samplingRate}`);
+      }
+
+      if (!hasMaxDecimalPlaces(samplingRate, 4)) {
+        throw new Error(`Sampling rate can have up to four decimal places, received ${samplingRate}`);
+      }
+    }
+
+    return {
+      enabled: true,
+      samplingRate,
+    };
+  }
 }
 
 /**
@@ -456,3 +504,8 @@ export enum HeadersReferrerPolicy {
    */
   UNSAFE_URL = 'unsafe-url',
 }
+
+function hasMaxDecimalPlaces(num: number, decimals: number): boolean {
+  const parts = num.toString().split('.');
+  return parts.length === 1 || parts[1].length <= decimals;
+}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.js.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"22.0.0"}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.js.snapshot/integ-distribution-policies.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "22.0.0",
   "files": {
-    "d76653a864e13a2b26a7cf3d87d4ff2a401608c2059e4fecbd6771e44716ee5d": {
+    "85cdf1d3cb389bbffb86daea3e968294cc2b3ab0ca95c300db0a6b907bed5589": {
       "source": {
         "path": "integ-distribution-policies.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "d76653a864e13a2b26a7cf3d87d4ff2a401608c2059e4fecbd6771e44716ee5d.json",
+          "objectKey": "85cdf1d3cb389bbffb86daea3e968294cc2b3ab0ca95c300db0a6b907bed5589.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.js.snapshot/integ-distribution-policies.template.json

@@ -76,7 +76,18 @@
       "AccessControlMaxAgeSec": 600,
       "OriginOverride": true
      },
-     "Name": "ACustomResponseHeadersPolicy"
+     "Name": "ACustomResponseHeadersPolicy",
+     "RemoveHeadersConfig": {
+      "Items": [
+       {
+        "Header": "Server"
+       }
+      ]
+     },
+     "ServerTimingHeadersConfig": {
+      "Enabled": true,
+      "SamplingRate": 50
+     }
     }
    }
   },

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.js.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "22.0.0",
   "testCases": {
     "integ.distribution-policies": {
       "stacks": [

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.js.snapshot/manifest.json

@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "22.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "integ-distribution-policies.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d76653a864e13a2b26a7cf3d87d4ff2a401608c2059e4fecbd6771e44716ee5d.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/85cdf1d3cb389bbffb86daea3e968294cc2b3ab0ca95c300db0a6b907bed5589.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -77,6 +71,12 @@
         ]
       },
       "displayName": "integ-distribution-policies"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.js.snapshot/tree.json

@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
-        }
-      },
       "integ-distribution-policies": {
         "id": "integ-distribution-policies",
         "path": "integ-distribution-policies",
@@ -135,6 +127,17 @@
                         },
                         "accessControlMaxAgeSec": 600,
                         "originOverride": true
+                      },
+                      "removeHeadersConfig": {
+                        "items": [
+                          {
+                            "header": "Server"
+                          }
+                        ]
+                      },
+                      "serverTimingHeadersConfig": {
+                        "enabled": true,
+                        "samplingRate": 50
                       }
                     }
                   }
@@ -159,7 +162,7 @@
                 "path": "integ-distribution-policies/Dist/Origin1",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.1.85"
+                  "version": "10.1.189"
                 }
               },
               "Resource": {
@@ -209,17 +212,41 @@
               "fqn": "@aws-cdk/aws-cloudfront.Distribution",
               "version": "0.0.0"
             }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "integ-distribution-policies/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "integ-distribution-policies/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnRule",
+              "version": "0.0.0"
+            }
           }
         },
+        "constructInfo": {
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
+        }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "version": "10.1.189"
         }
       }
     },
     "constructInfo": {
-      "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
     }
   }
 }

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.ts

@@ -25,6 +25,8 @@ const responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(stack, 'Respo
     accessControlMaxAge: cdk.Duration.seconds(600),
     originOverride: true,
   },
+  removeHeaders: ['Server'],
+  serverTimingSamplingRate: 50,
 });
 
 new cloudfront.Distribution(stack, 'Dist', {

packages/@aws-cdk/aws-cloudfront/test/response-headers-policy.test.ts

@@ -64,6 +64,8 @@ describe('ResponseHeadersPolicy', () => {
         strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
         xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
       },
+      removeHeaders: ['Server'],
+      serverTimingSamplingRate: 12.3456,
     });
 
     Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::ResponseHeadersPolicy', {
@@ -140,10 +142,35 @@ describe('ResponseHeadersPolicy', () => {
             ReportUri: 'https://example.com/csp-report',
           },
         },
+        RemoveHeadersConfig: {
+          Items: [{ Header: 'Server' }],
+        },
+        ServerTimingHeadersConfig: {
+          Enabled: true,
+          SamplingRate: 12.3456,
+        },
       },
     });
   });
 
+  test('throws when removing read-only headers', () => {
+    expect(() => new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+      removeHeaders: ['Content-Encoding'],
+    })).toThrow('Cannot remove read-only header Content-Encoding');
+  });
+
+  test('throws with out of range sampling rate', () => {
+    expect(() => new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+      serverTimingSamplingRate: 110,
+    })).toThrow('Sampling rate must be between 0 and 100 (inclusive), received 110');
+  });
+
+  test('throws with sampling rate with more than 4 decimal places', () => {
+    expect(() => new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+      serverTimingSamplingRate: 50.12345,
+    })).toThrow('Sampling rate can have up to four decimal places, received 50.12345');
+  });
+
   test('it truncates long auto-generated names', () => {
     new ResponseHeadersPolicy(stack, 'AVeryLongIdThatMightSeemRidiculousButSometimesHappensInCdkPipelinesBecauseTheStageNamesConcatenatedWithTheRegionAreQuiteLongMuchLongerThanYouWouldExpect');