aws-amplify
Content Security Policy not updated (customHttp.yml) on custom domain
Before opening, please confirm:
- [X] I have checked to see if my question is addressed in the FAQ.
- [X] I have searched for duplicate or closed issues.
- [X] I have read the guide for submitting bug reports.
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
App Id
arn:aws:amplify:eu-west-1:280564176496:apps/d7oe6xex8lyhr
Region
eu-west-1
Amplify Hosting feature
Custom headers
Describe the bug
Updating our content security policy using customHttp.yml does not work on our custom domain, but does work on the amplifyapp.com url. I use https://csp-evaluator.withgoogle.com to check the CSP of our custom domain Whenever I use our amplifyapp.com url in the CSP evaluator of google it shows our latest changes. Whenever I use our custom domain, it loads the last change before this bug was introduced
I managed to fix this by disabling the custom domain under domain management and then enabling it again. After this the updated customHttp.yml is being used.
Every time I update our customHttp.yml I need to disable and enable our custom domain again. I believe this is a bug because before it was working.
Expected behavior
Updating our Content Security Policy in customHttp.yml should update the Content Security Policy headers also on our custom domain.
Reproduction steps
- Ensure you use a custom domain
- update content security policy in customHttp.yml
- Push changes to your repository and have Amplify deploy latest commit
- Go to https://csp-evaluator.withgoogle.com and enter your custom domain to verify latest content security policy has been deployed
Work around to have it fixed 1.
Build Settings
No response
Additional information
I managed to fix this by disabling the custom domain under domain management and then enabling it again. After this the updated customHttp.yml is being used.
- Go to your app
- under App Settings select Domain Management
- Manage Sub Domains
- Click Disable
- Update
- Wait... and Click Enable again
Every time I update our customHttp.yml I need to disable and enable our custom domain again. I believe this is a bug because before it was working.
Also seeing this issue and it is quite frustrating. We enforce strict content security policies as per best practices but this makes it impossible to update them for live sites.
After following the steps provided by @soplan our app has encountered an error that occurs in different browsers for different users (which is strange)
502 ERROR The request could not be satisfied. The Lambda function result failed validation: The header contains invalid characters. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. Generated by cloudfront (CloudFront) Request ID: 2Lc_fJawcb6Uu10__R0LjAZMIhNfL7kNzCbT5WUyUdrlvhzra_76dw==
After following the steps provided by @soplan our app has encountered an error that occurs in different browsers for different users (which is strange)
502 ERROR The request could not be satisfied. The Lambda function result failed validation: The header contains invalid characters. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. Generated by cloudfront (CloudFront) Request ID: 2Lc_fJawcb6Uu10__R0LjAZMIhNfL7kNzCbT5WUyUdrlvhzra_76dw==
sounds like you have an issue in your code. Deploy your previous code and check if you still have the lambda function error.
The issue I had appears to have resolved itself, the website and images (that failed to load in the older version of the Content-Security-Policy) now load perfectly. Perhaps CloudFront needed time to refresh itself? There were no errors in the customHttp.yml file or in the build itself.
Also having this issue, only in our production environment - our test environment is fine, despite being identical in set up. Our content security policy is wrong on production using our custom domain but I can see it's updated on the underlying amplifyapp URL. This issue appeared around June for us.
I confirm that we are also facing the same issue as @soplan.
Is there a plan to address this? The workaround is more than a nuisance, it leads to avoidable downtime...
@hloriana this is also related to https://github.com/aws-amplify/amplify-hosting/issues/2846 so you can close this
@gibron and @soplan could you please provide app IDs for apps still producing this behavior?
@gibron and @soplan could you please provide app IDs for apps still producing this behavior?
arn:aws:amplify:eu-west-1:336514608551:apps/d2oqb1vmqxo34n
arn:aws:amplify:us-west-2:605380922912:apps/d1oybyqlskg97c
I was forced to switch to a completely new Amplify app — interestingly in the case of the new app, the behavior was not present.
The fix has been deployed for this issue. Please redeploy your applications. Marking this as a duplicate of https://github.com/aws-amplify/amplify-hosting/issues/2846. Please open a new bug report issue if this behavior occurs again.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}