During further testing I discovered an important edge case:
- Cookies issued with Domain=wpsuite.io were also sent to kirodev.wpsuite.io.
- This meant that both cookie triples (from wpsuite.io and kirodev.wpsuite.io) traveled together in requests.
- CloudFront behind kirodev.wpsuite.io rejected them with 403s, since the policy ID and key-pair didn't match.
The fix was to move cookie issuance from API Gateway to Lambda@Edge behind the same domain as the protected content, so that cookies can be issued as host-only.
This pivot made the stack more robust, and the latest SAR template already includes the fix.
Log in or sign up for Devpost to join the conversation.