The Amazon CloudFront documentation (meanwhile ?!) says that CallerReference is a unique name that ensures that the request cannot be played really, see InvalidationBatch Complex Type for details:
If CallerReference is the value that you already sent in the previous invalid batch request, and if the contents of each Path element are identical to the original request, the response includes the same information returned to the original request.
If CallerReference is the value that you already sent in the previous invalid batch request, but the contents of any path is different from the original CloudFront request returns an Error invalidationBatchAlreadyExists.
The Caller link in the Object Invalidation section confirms this as well and gives a hint on how to deal with this in practice:
CallerReference is the unique value that you provide and that CloudFront is used to prevent your request from being repeated. You must provide the new subscriber with a reference value and other new information in the CloudFront request to create a new invalidation request. You can use print time to refer to the caller (e.g. 20100801090000).
Despite sampling using a timestamp, the highlighted value for handling repeated attacks supposedly provides more flexibility and therefore potentially improves security (if necessary) than relying on a date header.
Steffen opel
source share