Gothic Framework G symbol

Allow Headers, Cookies & Query Params

Gothic serves your dynamic pages through a CDN (CloudFront on AWS), which caches them right at the edge. Which query params, cookies and headers land in the cache key — and get forwarded to your server — is controlled by the CDN field under Deploy.Providers.AWS in your gothic.config.go, using the Allow* builders.

By default (when you omit the CDN block entirely), all query params are part of the cache key — so ?lang=PT and ?lang=ENG render and cache separately — while no cookies and no headers are forwarded. Tune any of the three with the Allow* builders:

AWS: gothic.AWSProvider{
	// ...ServerMemory, ServerTimeout, Region, Profile, Stages...
	CDN: gothic.CDNConfig{
		QueryParams: gothic.AllowAll(),                          // default: all query params
		Cookies:     gothic.Allow("session"),                   // forward + vary on these cookies
		Headers:     gothic.Allow("CloudFront-Viewer-Country"), // whitelist only for headers
	},
},

There are four builders, and you never touch an enum or a struct directly:

Important: Headers accept only AllowNone() or Allow(...) — CloudFront cache policies reject all/allExcept for headers. And never forward the Host or Authorization header for the server behavior: CloudFront signs the Lambda Function URL with SigV4 (via OAC) against the function URL's own host, so forwarding either one breaks the signature and returns HTTP 403.

Now that your CDN caches exactly what you want, let's lock the door with a Web Application Firewall!