Can we configure CloudFront Cache-control/Expires response headers, when generating signing URLs?

[iamFIREcracker]

I have a CloudFront distribution which serves images stored inside an S3 bucket:

• User asks for an image
• Application server generates a signed URL with an expiry date in the future (e.g. one month) and returns that to the user
• User directly fetches the image from the signed URL

Now, since these images rarely change, we started caching signed URLs inside the application server, hoping that user browsers might be able to serve from the local cache instead of fetching from CloudFront over and over again (especially when the content did not change).

All good in theory; in practice, what we are observing is that none of responses generated by CloudFront seems to include neither the Cache-Control nor the Expires header, which makes it impossible for the user browser to cache and re-use content.

I know it's possible to define a custom "Response headers" policy via the console, and attach that to our distribution; but what if we wanted something a bit more granular? What if we wanted to control that at Signed URL creation time? This seems to be possible when signing S3 files directly (via the: ResponseCacheControl parameter), but not when signing using CloudFront. Is that the case or am I missing something? Note that I am not necessarily interested in setting these headers with a value different from whatever we specified as expires parameter when using the canned policy; I would be OK if CloudFront set either one of these headers automatically based on expires (which is also available in the signed URL).