diff --git a/README.md b/README.md
index 7f2abe06..48b10cff 100644
--- a/README.md
+++ b/README.md
@@ -489,6 +489,7 @@ Available targets:
 | <a name="input_realtime_log_config_arn"></a> [realtime\_log\_config\_arn](#input\_realtime\_log\_config\_arn) | The ARN of the real-time log configuration that is attached to this cache behavior | `string` | `null` | no |
 | <a name="input_redirect_all_requests_to"></a> [redirect\_all\_requests\_to](#input\_redirect\_all\_requests\_to) | A hostname to redirect all website requests for this distribution to. If this is set, it overrides other website settings | `string` | `""` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| <a name="input_response_headers_policy_id"></a> [response\_headers\_policy\_id](#input\_response\_headers\_policy\_id) | The identifier for a response headers policy | `string` | `""` | no |
 | <a name="input_routing_rules"></a> [routing\_rules](#input\_routing\_rules) | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no |
 | <a name="input_s3_access_log_bucket_name"></a> [s3\_access\_log\_bucket\_name](#input\_s3\_access\_log\_bucket\_name) | Name of the existing S3 bucket where S3 Access Logs will be delivered. Default is not to enable S3 Access Logging. | `string` | `""` | no |
 | <a name="input_s3_access_log_prefix"></a> [s3\_access\_log\_prefix](#input\_s3\_access\_log\_prefix) | Prefix to use for S3 Access Log object keys. Defaults to `logs/${module.this.id}` | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 5ac390b2..c0c7dd91 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -128,6 +128,7 @@
 | <a name="input_realtime_log_config_arn"></a> [realtime\_log\_config\_arn](#input\_realtime\_log\_config\_arn) | The ARN of the real-time log configuration that is attached to this cache behavior | `string` | `null` | no |
 | <a name="input_redirect_all_requests_to"></a> [redirect\_all\_requests\_to](#input\_redirect\_all\_requests\_to) | A hostname to redirect all website requests for this distribution to. If this is set, it overrides other website settings | `string` | `""` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| <a name="input_response_headers_policy_id"></a> [response\_headers\_policy\_id](#input\_response\_headers\_policy\_id) | The identifier for a response headers policy | `string` | `""` | no |
 | <a name="input_routing_rules"></a> [routing\_rules](#input\_routing\_rules) | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no |
 | <a name="input_s3_access_log_bucket_name"></a> [s3\_access\_log\_bucket\_name](#input\_s3\_access\_log\_bucket\_name) | Name of the existing S3 bucket where S3 Access Logs will be delivered. Default is not to enable S3 Access Logging. | `string` | `""` | no |
 | <a name="input_s3_access_log_prefix"></a> [s3\_access\_log\_prefix](#input\_s3\_access\_log\_prefix) | Prefix to use for S3 Access Log object keys. Defaults to `logs/${module.this.id}` | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 984ea7c7..9b0df632 100644
--- a/main.tf
+++ b/main.tf
@@ -437,13 +437,14 @@ resource "aws_cloudfront_distribution" "default" {
   }
 
   default_cache_behavior {
-    allowed_methods    = var.allowed_methods
-    cached_methods     = var.cached_methods
-    cache_policy_id    = var.cache_policy_id
-    target_origin_id   = local.origin_id
-    compress           = var.compress
-    trusted_signers    = var.trusted_signers
-    trusted_key_groups = var.trusted_key_groups
+    allowed_methods            = var.allowed_methods
+    cached_methods             = var.cached_methods
+    cache_policy_id            = var.cache_policy_id
+    target_origin_id           = local.origin_id
+    compress                   = var.compress
+    trusted_signers            = var.trusted_signers
+    trusted_key_groups         = var.trusted_key_groups
+    response_headers_policy_id = var.response_headers_policy_id
 
     dynamic "forwarded_values" {
       # If a cache policy is specified, we cannot include a `forwarded_values` block at all in the API request
diff --git a/variables.tf b/variables.tf
index bcc6eb08..299c4230 100644
--- a/variables.tf
+++ b/variables.tf
@@ -175,6 +175,12 @@ variable "price_class" {
   description = "Price class for this distribution: `PriceClass_All`, `PriceClass_200`, `PriceClass_100`"
 }
 
+variable "response_headers_policy_id" {
+  type        = string
+  description = "The identifier for a response headers policy"
+  default     = ""
+}
+
 variable "viewer_protocol_policy" {
   type        = string
   description = "Limit the protocol users can use to access content. One of `allow-all`, `https-only`, or `redirect-to-https`"