Security Headers & Cookie Management in Hybrid AEM CDN Setup on AWS CloudFront
aemrules.com Security Headers & Cookie Management in Hybrid AEM CDN Setup on AWS CloudFront 7 min read · Anuj Gangwar · AEM Architect @ Adobe TL;DR Ask AI 5 things to know in 30 seconds 1 Never manage security headers on both EDS and AMS independently — enforce all of them at CloudFront only using a Response Headers Policy. One place, consistent everywhere. 2 Your CSP policy must be a superset covering both EDS and AMS — scripts, fonts, and connect sources from both origins in one unified policy. 3 Strip ALL cookies before forwarding to EDS origin. EDS is stateless — forwarding AMS session cookies destroys cache efficiency and every user gets a unique cache entry. 4 For AMS authenticated paths, whitelist only the cookies you need — typically login-token. Never forward all cookies blindly. 5 For SSO across EDS and AMS pages, use a lightweight JWT shared cookie reada...