{"id":22873864,"url":"https://github.com/alma-cdk/origin-verify","last_synced_at":"2026-04-07T09:01:36.980Z","repository":{"id":57679950,"uuid":"492845666","full_name":"alma-cdk/origin-verify","owner":"alma-cdk","description":"AWS CDK Construct to Enforce API Gateway or Application Load Balancer traffic via CloudFront.","archived":false,"fork":false,"pushed_at":"2026-03-24T12:56:42.000Z","size":782,"stargazers_count":5,"open_issues_count":7,"forks_count":2,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-03-24T13:40:48.711Z","etag":null,"topics":["alb","api-gateway","aws","aws-cdk","aws-cdk-construct","awscdk","cloud-development-kit","cloudfront"],"latest_commit_sha":null,"homepage":"https://constructs.dev/packages/@alma-cdk/origin-verify/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alma-cdk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-16T13:23:46.000Z","updated_at":"2025-02-27T09:36:34.000Z","dependencies_parsed_at":"2024-03-18T11:51:17.787Z","dependency_job_id":"2dc27cfa-6bd0-41b3-8a57-8352efdc9e9e","html_url":"https://github.com/alma-cdk/origin-verify","commit_stats":{"total_commits":52,"total_committers":2,"mean_commits":26.0,"dds":"0.23076923076923073","last_synced_commit":"26c2867d6fae29e5413d8da12aeeba5cb51f21a4"},"previous_names":[],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/alma-cdk/origin-verify","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alma-cdk%2Forigin-verify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alma-cdk%2Forigin-verify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alma-cdk%2Forigin-verify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alma-cdk%2Forigin-verify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alma-cdk","download_url":"https://codeload.github.com/alma-cdk/origin-verify/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alma-cdk%2Forigin-verify/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31506578,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alb","api-gateway","aws","aws-cdk","aws-cdk-construct","awscdk","cloud-development-kit","cloudfront"],"created_at":"2024-12-13T14:31:16.169Z","updated_at":"2026-04-07T09:01:36.959Z","avatar_url":"https://github.com/alma-cdk.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\t\u003cbr/\u003e\n\t\u003cbr/\u003e\n  \u003ch1\u003e\n\t\u003cimg height=\"140\" src=\"assets/alma-cdk-origin-verify.svg\" alt=\"Alma CDK Origin Verify\" /\u003e\n  \u003cbr/\u003e\n  \u003cbr/\u003e\n  \u003c/h1\u003e\n\n  ```sh\n  npm i -D @alma-cdk/origin-verify\n  ```\n\n  \u003cdiv align=\"left\"\u003e\n\n  Enforce API Gateway REST API, AppSync GraphQL API, or Application Load Balancer traffic via CloudFront by generating a Secrets Manager secret value which is used as a CloudFront Origin Custom header and a WAFv2 WebACL header match rule.\n\n  \u003c/div\u003e\n  \u003cbr/\u003e\n\u003c/div\u003e\n\n\u003cbr/\u003e\n\n![diagram](assets/diagram.svg)\n\n\u003cbr/\u003e\n\nEssentially this is an implementation of _AWS Solution_ “[Enhance Amazon CloudFront Origin Security with AWS WAF and AWS Secrets Manager](https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/)” without the secret rotation.\n\n\u003cbr/\u003e\n\n## 🚧 \u0026nbsp; Project Stability\n\n![experimental](https://img.shields.io/badge/stability-experimental-yellow \"Stability: Experimental\")\n\nThis construct is still versioned with `v0` major version and breaking changes might be introduced if necessary (without a major version bump), though we aim to keep the API as stable as possible (even within `v0` development). We aim to publish `v1.0.0` soon and after that breaking changes will be introduced via major version bumps.\n\n\n\u003cbr/\u003e\n\n## Getting Started\n\n```ts\nimport { OriginVerify } from '@alma-cdk/origin-verify';\nimport { Distribution } from 'aws-cdk-lib/aws-cloudfront';\n```\n```ts\nconst api: RestApi; // TODO: implement the RestApi\nconst apiDomain: string; // TODO: implement the domain\n\nconst verification = new OriginVerify(this, 'OriginVerify', {\n  origin: api.deploymentStage,\n});\n\nnew Distribution(this, 'CDN', {\n  defaultBehavior: {\n    origin: new HttpOrigin(apiDomain, {\n      customHeaders: {\n        [verification.headerName]: verification.headerValue,\n      },\n      protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,\n    })\n  },\n})\n```\n\nFor more detailed example usage see [`/examples`](https://github.com/alma-cdk/origin-verify/tree/main/examples/) directory.\n\n\u003cbr/\u003e\n\n## Custom Secret Value\n\nAdditionally, you may pass in custom `secretValue` if you don't want to use a generated secret (which you should use in most cases):\n\n```ts\nconst myCustomValue = SecretValue.unsafePlainText('foobar');\n\nconst verification = new OriginVerify(this, 'OriginVerify', {\n  origin: api.deploymentStage,\n  secretValue: myCustomValue,\n});\n```\n\n\n\u003cbr/\u003e\n\n## Notes\n\n### Use `OriginProtocolPolicy.HTTPS_ONLY`!\n\nIn your CloudFront distribution Origin configuration use `OriginProtocolPolicy.HTTPS_ONLY` to avoid exposing the `verification.headerValue` secret to the world.\n\n### Why `secretValue.unsafeUnwrap()`?\n\nInternally this construct creates the `headerValue` by using AWS Secrets Manager but the secret value is exposed directly by using `secretValue.unsafeUnwrap()` method: This is:\n- **required**, because we must be able to set it into the WAFv2 WebACL rule\n- **required**, because you must be able to set it into the CloudFront Origin Custom Header\n- **okay**, because it's meant to protect the API externally and it's _not_ considered as a secret that should be kept – well – secret within _your_ AWS account\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falma-cdk%2Forigin-verify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falma-cdk%2Forigin-verify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falma-cdk%2Forigin-verify/lists"}