Skip to content

Instantly share code, notes, and snippets.

@csereno

csereno/secure-headers.js

Last active October 23, 2019 14:20
Show Gist options
  • Save csereno/8cf39775fedf0f63eea40ac0d86079d2 to your computer and use it in GitHub Desktop.
Save csereno/8cf39775fedf0f63eea40ac0d86079d2 to your computer and use it in GitHub Desktop.
Download ZIP
Add secure headers to static page through CloudFront
Raw
secure-headers.js
# Source: https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/
'use strict';
exports.handler = async (event, context, callback) => {
const response = event.Records[0].cf.response;
const headers = response.headers;
//Set new headers
headers['strict-transport-security'] = [{key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubdomains; preload'}];
headers['content-security-policy'] = [{key: 'Content-Security-Policy', value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"}];
headers['x-content-type-options'] = [{key: 'X-Content-Type-Options', value: 'nosniff'}];
headers['x-frame-options'] = [{key: 'X-Frame-Options', value: 'DENY'}];
headers['x-xss-protection'] = [{key: 'X-XSS-Protection', value: '1; mode=block'}];
headers['referrer-policy'] = [{key: 'Referrer-Policy', value: 'same-origin'}];
//Return modified response
callback(null, response);
//callback(null, event.Records[0].cf.response);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment