The Accept header is part of the CloudFront cache key by default.
Since it is set by the user, varying the header results in a cache miss, that opens a potential attack vector.

Accept header

Limiting the header to default values is a risky take since this can change every time.
An alternative approach would be to use a CloudFront function to normalize the header for each request.

1. Detect Avif support -> replaces Accept header with image/avif,image/webp,*/*
2. Detect Webp support -> replaces Accept header with image/webp,*/*
3. Otherwise replaces the header with */*

The advantage of using a CloudFront function for this is that it is relatively cheap ($0.10 per 1 million invocations) and the modified Header is used to serve the request from the cache instead of hitting the origin.
So two identical requests with different headers Accept: image/webp,*/*, Accept: image/webp,a/b,*/* would both served from the same cached object.
The disadvantage is that the CloudFront function would be invoked for every request (whether it's in the cache or not).

x-ref: #75