I want to add HTTP security headers to Amazon CloudFront responses. How can I do this?
Short description
HTTP Security headers improve the privacy and security of a web application and protect it from vulnerabilities at the client side. The most common HTTP security headers are:
CloudFront response header policies allow you to add one or more HTTP security headers to a response from CloudFront.
Resolution
You can use the managed security headers response policy that includes pre-defined values for the most common HTTP security headers. Or, you can create a custom response header policy with custom security headers and values that can be added to the required CloudFront behavior.
Create a custom response headers policy from AWS console
- Open the CloudFront console.
- From the navigation menu, choose Policies. Then, choose Response headers.
- Choose Create response headers policy.
- Under Security headers, select each of the security headers that you want to add to the policy. Add or select the required values for each header.
- Under Custom headers, add the custom security headers and values that you want CloudFront to add to the responses.
- Fill out other fields as required. Then, select Create.
Attach response headers policy to a cache behavior
After you create a response headers policy, attach it to a cache behavior in a CloudFront distribution. To attach a managed or custom security headers response policy to an existing CloudFront distribution:
- Open the CloudFront console.
- Choose the distribution you want to update.
- Under the Behaviors tab, select the cache behavior you want to modify. Then, choose Edit.
- For Response headers policy, choose SecurityHeadersPolicy or choose the custom policy that you created.
- Choose Save changes.
The following is an example of CloudFront response with HTTP security response headers :
curl -I https://dxxxxxxxbai33q.cloudfront.net
HTTP/2 200
content-type: text/html
content-length: 9850
vary: Accept-Encoding
date: xxxxxxxxx
last-modified: xxxxxxx
etag: "c59c5ef71f3350489xxxxxxxxxx"
x-amz-server-side-encryption: AES256
cache-control: no-store, no-cache, private
x-amz-version-id: null
accept-ranges: bytes
server: AmazonS3
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000
x-cache: Miss from cloudfront
via: 1.1 12142717248e0e7148a5c1a9151ab918.cloudfront.net (CloudFront)
x-amz-cf-pop: BOS50-C3
x-amz-cf-id: nHNANTZYdkQkE5BmsqlisPTiodFhVCK-Sf9Zp4iJzNs04eWi1_hEig==