Most of the 4xx errors from CloudFront turned out to be originating from GET /favicon.ico requests from the browser. The signed URL only grants access to the requested PDF object in S3, so the client isn't allowed to get the favicon. Also, the favicon was previously not in the bucket at all.
One fix could be to add a signed cookie that grants access to the favicon, in addition to the signed URL which grants access to the thingamagic. Or could investigate if we can make CloudFront redirect the client back to tarpisto.tko-aly.fi on specific HTTP codes.
Most of the 4xx errors from CloudFront turned out to be originating from
GET /favicon.ico
requests from the browser. The signed URL only grants access to the requested PDF object in S3, so the client isn't allowed to get the favicon. Also, the favicon was previously not in the bucket at all.One fix could be to add a signed cookie that grants access to the favicon, in addition to the signed URL which grants access to the thingamagic. Or could investigate if we can make CloudFront redirect the client back to tarpisto.tko-aly.fi on specific HTTP codes.