stackitcloud · matheuspolitano · May 28, 2026 · May 28, 2026 · Jun 1, 2026 · Jun 3, 2026
@@ -46,13 +46,16 @@ data "stackit_cdn_distribution" "example" {
 Optional:
 
 - `blocked_countries` (List of String) The configured countries where distribution of content is blocked
+- `forward_host_header` (Boolean) Enable this allows the 'Host' header to be passed through to the origin.
+- `strip_response_cookies` (Boolean) Enable this to prevent origin-level cookies from being forwarded to the end user.
 
 Read-Only:
 
 - `backend` (Attributes) The configured backend for the distribution (see [below for nested schema](#nestedatt--config--backend))
 - `optimizer` (Attributes) Configuration for the Image Optimizer. This is a paid feature that automatically optimizes images to reduce their file size for faster delivery, leading to improved website performance and a better user experience. (see [below for nested schema](#nestedatt--config--optimizer))
 - `redirects` (Attributes) A wrapper for a list of redirect rules that allows for redirect settings on a distribution (see [below for nested schema](#nestedatt--config--redirects))
 - `regions` (List of String) The configured regions where content will be hosted
+- `tls` (Attributes) Configuration for TLS protocol versions. Note: Enabling older TLS versions (1.0, 1.1) is generally discouraged for security reasons. (see [below for nested schema](#nestedatt--config--tls))
 - `waf` (Attributes) Configures the Web Application Firewall (WAF) for the distribution. If this block is undefined or removed from your configuration, the WAF mode will default to DISABLED and the type to FREE. All other WAF properties will retain their last known state in the API; if they were never defined, the API will apply its default settings. (see [below for nested schema](#nestedatt--config--waf))
 
 <a id="nestedatt--config--backend"></a>
@@ -106,6 +109,15 @@ Read-Only:
 
 
 
+<a id="nestedatt--config--tls"></a>
+### Nested Schema for `config.tls`
+
+Read-Only:
+
+- `enable_tls_10` (Boolean) If set to true, the distribution will accept connections using TLS 1.1.
+- `enable_tls_11` (Boolean) If set to true, the distribution will accept connections using TLS 1.0.
+
+
 <a id="nestedatt--config--waf"></a>
 ### Nested Schema for `config.waf`
 

@@ -146,8 +146,11 @@ Required:
 Optional:
 
 - `blocked_countries` (List of String) The configured countries where distribution of content is blocked
+- `forward_host_header` (Boolean) Enable this allows the 'Host' header to be passed through to the origin.
 - `optimizer` (Attributes) Configuration for the Image Optimizer. This is a paid feature that automatically optimizes images to reduce their file size for faster delivery, leading to improved website performance and a better user experience. (see [below for nested schema](#nestedatt--config--optimizer))
 - `redirects` (Attributes) A wrapper for a list of redirect rules that allows for redirect settings on a distribution (see [below for nested schema](#nestedatt--config--redirects))
+- `strip_response_cookies` (Boolean) Enable this to prevent origin-level cookies from being forwarded to the end user.
+- `tls` (Attributes) Configuration for TLS protocol versions. Note: Enabling older TLS versions (1.0, 1.1) is generally discouraged for security reasons. (see [below for nested schema](#nestedatt--config--tls))
 - `waf` (Attributes) Configures the Web Application Firewall (WAF) for the distribution. If this block is undefined or removed from your configuration, the WAF mode will default to DISABLED and the type to FREE. All other WAF properties will retain their last known state in the API; if they were never defined, the API will apply its default settings. (see [below for nested schema](#nestedatt--config--waf))
 
 <a id="nestedatt--config--backend"></a>
@@ -220,6 +223,15 @@ Optional:
 
 
 
+<a id="nestedatt--config--tls"></a>
+### Nested Schema for `config.tls`
+
+Optional:
+
+- `enable_tls_10` (Boolean) If set to true, the distribution will accept connections using TLS 1.1.
+- `enable_tls_11` (Boolean) If set to true, the distribution will accept connections using TLS 1.0.
+
+
 <a id="nestedatt--config--waf"></a>
 ### Nested Schema for `config.waf`
 

@@ -57,6 +57,13 @@ resource "stackit_cdn_distribution" "example_bucket_distribution" {
       ]
     }
 
+    tls = {
+      enable_tls_10 = true
+      enable_tls_11 = true
+    }
+    strip_response_cookies = true
+    forward_host_header    = true
+
     # WAF Configuration
     # 
     # Precedence Hierarchy: Specific Rules > Groups > Collections

@@ -122,6 +122,10 @@ var testConfigVarsHttp = config.Variables{
 	"waf_log_only_rule_ids_0":             config.StringVariable(wafRule3),
 	"waf_log_only_rule_group_ids_0":       config.StringVariable(wafRule3),
 	"waf_log_only_rule_collection_ids_0":  config.StringVariable(wafRule3),
+	"tls_enable_tls_10":                   config.BoolVariable(true),
+	"tls_enable_tls_11":                   config.BoolVariable(true),
+	"strip_response_cookies":              config.BoolVariable(false),
+	"forward_host_header":                 config.BoolVariable(true),
 }
 
 func configVarsHttpUpdated() config.Variables {
@@ -137,6 +141,21 @@ func configVarsHttpUpdated() config.Variables {
 	updatedConfig["waf_allowed_http_versions_0"] = config.StringVariable("HTTP/1.1")
 	updatedConfig["waf_paranoia_level"] = config.StringVariable("L3")
 
+	// Update TLS
+	updatedConfig["tls_enable_tls_10"] = config.BoolVariable(false)
+	updatedConfig["tls_enable_tls_11"] = config.BoolVariable(false)
+
+	// Update small features
+	updatedConfig["strip_response_cookies"] = config.BoolVariable(true)
+	updatedConfig["forward_host_header"] = config.BoolVariable(false)
+
+	// Update WAF rules
+	updatedConfig["waf_disabled_rule_ids_0"] = config.StringVariable(wafRule3)
+	updatedConfig["waf_disabled_rule_group_ids_0"] = config.StringVariable(wafRule3)
+	updatedConfig["waf_disabled_rule_collection_ids_0"] = config.StringVariable(wafRule3)
+
+	updatedConfig["waf_enabled_rule_ids_0"] = config.StringVariable(wafRule1)
+
 	updatedConfig["waf_enabled_rule_ids_0"] = config.StringVariable(wafRule2)
 	updatedConfig["waf_enabled_rule_group_ids_0"] = config.StringVariable(wafRule2)
 	updatedConfig["waf_enabled_rule_collection_ids_0"] = config.StringVariable(wafRule2)
@@ -234,6 +253,12 @@ func TestAccCDNDistributionHttp(t *testing.T) {
 					),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.optimizer.enabled", testutil.ConvertConfigVariable(testConfigVarsHttp["optimizer"])),
 
+					// TLS Checks
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_10"])),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_11"])),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.forward_host_header", testutil.ConvertConfigVariable(testConfigVarsHttp["forward_host_header"])),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.strip_response_cookies", testutil.ConvertConfigVariable(testConfigVarsHttp["strip_response_cookies"])),
+
 					// WAF Checks
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_mode"])),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.type", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_type"])),
@@ -371,6 +396,12 @@ func TestAccCDNDistributionHttp(t *testing.T) {
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.optimizer.enabled", testutil.ConvertConfigVariable(testConfigVarsHttp["optimizer"])),
 
+					// TLS Checks inside Data Source
+					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_10"])),
+					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_11"])),
+					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.forward_host_header", testutil.ConvertConfigVariable(testConfigVarsHttp["forward_host_header"])),
+					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.strip_response_cookies", testutil.ConvertConfigVariable(testConfigVarsHttp["strip_response_cookies"])),
+
 					// WAF Checks inside Data Source
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_mode"])),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.waf.type", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_type"])),
@@ -445,6 +476,12 @@ func TestAccCDNDistributionHttp(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.optimizer.enabled", testutil.ConvertConfigVariable(testConfigVarsHttp["optimizer"])),
 
+					// TLS Configuration
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(configVarsHttpUpdated()["tls_enable_tls_10"])),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(configVarsHttpUpdated()["tls_enable_tls_11"])),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.forward_host_header", testutil.ConvertConfigVariable(configVarsHttpUpdated()["forward_host_header"])),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.strip_response_cookies", testutil.ConvertConfigVariable(configVarsHttpUpdated()["strip_response_cookies"])),
+
 					// Checking WAF Mutated Configurations
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(configVarsHttpUpdated()["waf_mode"])),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.type", testutil.ConvertConfigVariable(configVarsHttpUpdated()["waf_type"])),

@@ -46,6 +46,11 @@ var dataSourceConfigTypes = map[string]attr.Type{
 	"waf": types.ObjectType{
 		AttrTypes: wafTypes, // Shared from resource.go
 	},
+	"tls": types.ObjectType{
+		AttrTypes: tlsTypes, // Shared from resource.go
+	},
+	"strip_response_cookies": types.BoolType,
+	"forward_host_header":    types.BoolType,
 }
 
 type distributionDataSource struct {
@@ -207,6 +212,30 @@ func (r *distributionDataSource) Schema(_ context.Context, _ datasource.SchemaRe
 							},
 						},
 					},
+					"strip_response_cookies": schema.BoolAttribute{
+						Optional:    true,
+						Computed:    true,
+						Description: schemaDescriptions["config_strip_response_cookies"],
+					},
+					"forward_host_header": schema.BoolAttribute{
+						Optional:    true,
+						Computed:    true,
+						Description: schemaDescriptions["config_forward_host_header"],
+					},
+					"tls": schema.SingleNestedAttribute{
+						Description: schemaDescriptions["config_tls_config"],
+						Computed:    true,
+						Attributes: map[string]schema.Attribute{
+							"enable_tls_11": schema.BoolAttribute{
+								Computed:    true,
+								Description: schemaDescriptions["config_tls_enable_tls_10"],
+							},
+							"enable_tls_10": schema.BoolAttribute{
+								Computed:    true,
+								Description: schemaDescriptions["config_tls_enable_tls_11"],
+							},
+						},
+					},
 					"redirects": schema.SingleNestedAttribute{
 						Computed:    true,
 						Description: schemaDescriptions["config_redirects"],
@@ -641,14 +670,27 @@ func mapDataSourceFields(ctx context.Context, distribution *cdnSdk.Distribution,
 		}
 	}
 
+	tlsObjAttrs := map[string]attr.Value{
+		"enable_tls_10": types.BoolValue(distribution.Config.Tls.EnableTls10),
+		"enable_tls_11": types.BoolValue(distribution.Config.Tls.EnableTls11),
+	}
+
+	tlsVal, diagTls := types.ObjectValue(tlsTypes, tlsObjAttrs)
+	if diagTls.HasError() {
+		return core.DiagsToError(diagWaf)
+	}
+
 	// Use dataSourceConfigTypes
 	cfg, diags := types.ObjectValue(dataSourceConfigTypes, map[string]attr.Value{
-		"backend":           backend,
-		"regions":           modelRegions,
-		"blocked_countries": modelBlockedCountries,
-		"optimizer":         optimizerVal,
-		"redirects":         redirectsVal,
-		"waf":               wafVal,
+		"backend":                backend,
+		"regions":                modelRegions,
+		"blocked_countries":      modelBlockedCountries,
+		"optimizer":              optimizerVal,
+		"redirects":              redirectsVal,
+		"waf":                    wafVal,
+		"tls":                    tlsVal,
+		"strip_response_cookies": types.BoolValue(distribution.Config.StripResponseCookies),
+		"forward_host_header":    types.BoolValue(distribution.Config.ForwardHostHeader),
 	})
 	if diags.HasError() {
 		return core.DiagsToError(diags)