fix: add Next.js RSC headers to CloudFront CachePolicy to prevent cache poisoning#118
Closed
fix: add Next.js RSC headers to CloudFront CachePolicy to prevent cache poisoning#118
Conversation
…he poisoning Add RSC, Next-Router-Prefetch, Next-Router-State-Tree, and Next-URL headers to CacheHeaderBehavior.allowList so that CloudFront distinguishes RSC flight responses from HTML responses in the cache key. Without these headers, static/ISR pages can serve text/x-component data for normal HTML requests (or vice versa) when CloudFront caching is active. Closes #100
Contributor
Author
|
Closing in favor of a revised approach using CloudFront Functions to hash RSC headers into a single cache key header, avoiding the 10-header limit on CloudFront Cache Policies. |
konokenj
added a commit
that referenced
this pull request
Mar 22, 2026
## Summary Prevent CloudFront cache poisoning between HTML and RSC flight responses by adding a CloudFront Function that hashes Next.js RSC headers into a single cache key header. Closes #100 Supersedes #118 ## Problem Next.js App Router sends two types of requests to the same URL: 1. **HTML requests** — full page loads 2. **RSC requests** — client-side navigation with `RSC: 1` header, returning `text/x-component` flight data Next.js sets `Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch` (plus `next-url` for interception routes) to signal that responses differ based on these headers. However, CloudFront does not honor `Vary` — headers must be explicitly included in the Cache Policy to become part of the cache key. Without this fix, when CloudFront caching is active (static pages, ISR, or explicit cache headers), an RSC response can be cached and served for a normal HTML request, or vice versa. ## Approach Adding all 5 RSC headers directly to the Cache Policy would hit CloudFront's **10-header limit** (5 existing + 5 = 10, no room for future additions). Instead, we use a **CloudFront Function** (VIEWER_REQUEST) that: 1. Reads the 5 Next.js RSC headers (`rsc`, `next-router-prefetch`, `next-router-state-tree`, `next-router-segment-prefetch`, `next-url`) 2. Hashes them into a single `x-nextjs-cache-key` header using FNV-1a 3. The Cache Policy includes only `x-nextjs-cache-key` (6/10 headers used) This is the same approach used by [cdk-nextjs](https://github.com/jetbridge/cdk-nextjs) (which hashes into `x-open-next-cache-key`). ### Why CloudFront Function (not Lambda@Edge)? The existing `sign-payload` Lambda@Edge (ORIGIN_REQUEST) handles request body hashing for SigV4, which requires body access — only possible with Lambda@Edge. The RSC header hashing is a lightweight header-only operation ideal for CloudFront Functions. Both coexist on the same behavior (CF Function at VIEWER_REQUEST, L@E at ORIGIN_REQUEST). ## Files changed - `cdk/lib/constructs/cf-lambda-furl-service/cf-function/cache-key.js` — New CloudFront Function - `cdk/lib/constructs/cf-lambda-furl-service/service.ts` — Wire up CF Function + add `x-nextjs-cache-key` to Cache Policy ## Grounding / References - **Next.js source (v16.1.6)** `base-server.js:setVaryHeader()` — Confirms `Vary` includes `rsc`, `next-router-state-tree`, `next-router-prefetch`, `next-router-segment-prefetch` for all App Router pages, plus `next-url` for interception routes - **Next.js source** `app-render.js:149` — `next-router-segment-prefetch: /_tree` triggers a different response (route tree only), confirming it must be in the cache key - **CVE-2025-49005** ([Vercel](https://vercel.com/changelog/cve-2025-49005), [GHSA-r2fc-ccr8-96c4](GHSA-r2fc-ccr8-96c4)) — Cache poisoning via missing `Vary` header in Next.js 15.3.0–15.3.3. Workaround: manually set `Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch` - **[Running Next.js behind AWS CloudFront](https://www.bstefanski.com/blog/running-nextjs-behind-aws-cloudfront)** — Documents the same cache poisoning issue and fix - **[cdk-nextjs](https://github.com/jetbridge/cdk-nextjs)** `NextjsDistribution.ts` — Uses the same hash-into-single-header approach with `x-open-next-cache-key` - **[CloudFront quotas](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.html)** — Cache Policy allows max 10 headers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add Next.js App Router RSC headers (
RSC,Next-Router-Prefetch,Next-Router-State-Tree,Next-URL) to the CloudFrontCachePolicyCacheHeaderBehavior.allowListto prevent cache poisoning between HTML and RSC flight responses.Closes #100
Problem
Next.js App Router sends two types of requests to the same URL:
RSC: 1headerWithout these headers in the cache key, CloudFront treats both request types identically. When caching is active (static pages, ISR, or explicit cache headers), an RSC response (
text/x-component) can be cached and served for a normal HTML request, or vice versa.The current sample app uses dynamic rendering (
cookies()calls), soCache-Control: private, no-cache, no-storeprevents caching. However, as a starter kit, users will naturally add static pages or ISR, at which point cache poisoning occurs.Change
Grounding / References
The fix is validated by multiple independent sources:
Varyheader. Vercel's recommended workaround for self-hosted deployments: manually setVary: RSC, Next-Router-State-Tree, Next-Router-Prefetch.rsc,next-router-prefetch,next-router-state-tree,next-urlas cache key components (hashed via CloudFront Function intox-open-next-cache-key).Verification
npm run buildincdk/)RSC: 1header) to the same URL should produce separate cache entries