aws · mergify · Sep 1, 2025 · Aug 21, 2025 · Aug 27, 2025 · Aug 31, 2025
diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts
@@ -144,6 +144,11 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
         throw new ValidationError(`accessControlAllowMethods contains unexpected method name; allowed values: ${allowedMethods.join(', ')}`, this);
       }
     });
+    withResolved(behavior.accessControlAllowHeaders, (headers) => {
+      if (behavior.accessControlAllowCredentials && headers.some(header => !Token.isUnresolved(header) && header.includes('*'))) {
+        throw new ValidationError('accessControlAllowHeaders cannot contain "*" or headers with "*" when accessControlAllowCredentials is true', this);
+      }
+    });
 
     return {
       accessControlAllowCredentials: behavior.accessControlAllowCredentials,

diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts
@@ -205,5 +205,20 @@ describe('ResponseHeadersPolicy', () => {
         },
       })).toThrow(/accessControlAllowMethods contains unexpected method name/);
     });
+
+    test.each([
+      [['*']],
+      [['X-Custom-*', 'Authorization']],
+    ])('throws if accessControlAllowHeaders contains wildcard when accessControlAllowCredentials is true', (headers) => {
+      expect(() => new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+        corsBehavior: {
+          accessControlAllowCredentials: true,
+          accessControlAllowHeaders: headers,
+          accessControlAllowMethods: ['GET'],
+          accessControlAllowOrigins: ['https://example.com'],
+          originOverride: true,
+        },
+      })).toThrow('accessControlAllowHeaders cannot contain "*" or headers with "*" when accessControlAllowCredentials is true');
+    });
   });
 });