CORS locked to CloudFront domain; Identity Pool server-side token check enabled

Two small hardening commits: CORS on the S3 docs bucket and API Gateway is tightened from `*` to the actual CloudFront distribution domain, and `serverSideTokenCheck` on the Cognito Identity Pool is flipped to `true`. Small changes, but CORS wildcards are the kind of default that survives indefinitely if not addressed explicitly.

securityinfrastructure

The docs bucket CORS was initially set to allowedOrigins: ['*'] with a comment saying it would be tightened post-deploy. 685c7ad does that tightening: the CORS rule is moved off the Bucket constructor (which runs before the CloudFront distribution exists) and applied via CDK's L1 escape hatch (cfnDocsBucket.corsConfiguration) so it can reference this.distribution.distributionDomainName as a CloudFormation token resolved at deploy time.

The frontendUrl prop on ApiStack is made required (non-optional string) and defaultCorsPreflightOptions.allowOrigins is set to [props.frontendUrl] rather than Cors.ALL_ORIGINS. A separate commit (54937c3) catches a regression where allowOrigins had reverted to ALL_ORIGINS after an unrelated change.

serverSideTokenCheck: true on the Identity Pool means Cognito validates the token against its own token revocation list. The Identity Pool itself is removed in a later commit when uploads switch to backend-issued presigned URLs, so this setting becomes moot - but the pattern of enabling server-side checks is still the right default.

So what Minor but copy-worthy if you are starting from the same CDK foundation: the escape-hatch pattern for referencing a CloudFormation token in `corsConfiguration` is the correct way to avoid a chicken-and-egg dependency between the bucket and the distribution.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from dropthejase/louis, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
685c7ad5 security: lock CORS to CloudFront domain, enable Identity Pool token check Jason Lee 2026-05-08 ↗ GitHub
commit body
- serverSideTokenCheck: true on Identity Pool - revoked tokens can no
  longer exchange for IAM credentials until expiry
- docsBucket CORS allowedOrigins locked to CF distribution domain via
  Fn::GetAtt (no longer '*'); resolved at deploy time by CloudFormation
- ApiStack FRONTEND_URL wired to CF domain token for API Gateway CORS
- Removed dev-only RemovalPolicy.DESTROY / autoDeleteObjects from
  docsBucket; enterprise POC always retains data
54937c3a fix: lock API Gateway CORS allowOrigins to CloudFront domain Jason Lee 2026-05-09 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-350.md from inside the repo you want the changes in.

⬇ Download capture-thread-350.md