|
1 | 1 | # AWS CDK CloudFront Security Headers |
2 | | -This package contains a Lambda@Edge function for cloudfront to add security headers to the origin response of all requests. |
| 2 | +   |
3 | 3 |
|
4 | | -## Useful commands |
| 4 | +This package contains a Lambda@Edge function for Cloudfront to add security headers to the origin response of all requests. |
5 | 5 |
|
6 | | - * `npm run build` compile typescript to js |
7 | | - * `npm run watch` watch for changes and compile |
8 | | - * `npm run test` perform the jest unit tests |
| 6 | +The function is intended to be added to an existing Cloudfront. |
| 7 | + |
| 8 | +## Usage and Default Options |
| 9 | +### `contentSecurityPolicy` (array<string>, optional) |
| 10 | +- Array to store content security policies to attach |
| 11 | + |
| 12 | +## Security headers attached |
| 13 | + |
| 14 | +### `headers["strict-transport-security"]` (aka HSTS) |
| 15 | +- Informs browsers that the site should only be accessed using a HTTPS connection. |
| 16 | +#### **Value Directives**: |
| 17 | + |
| 18 | +- **`max-age=<expire-time>` (seconds):** |
| 19 | + - Time is set to 108000s seconds / 30 hours. Specifies the length of time the browser should remember that site can only be accessed using HTTPS |
| 20 | + |
| 21 | +- **`includeSubdomains` (boolean, optional):** |
| 22 | + - Option is specifcied. The rule will apply to all of the site's subdomains |
| 23 | + |
| 24 | +- **`preload` (boolean, optional):** |
| 25 | + - Option is specificed. The will be preloaded into the HSTS Preload List. |
| 26 | + |
| 27 | + - The **Preload List** is a list built into major web browsers like Chromium, Edge and Firefox. It is a list containing domains that HTTPS enforcement is automatically applied _before_ the browser receives the STS header. |
| 28 | + |
| 29 | + - This soves the first-load problem of a browser not knowing a site's HSTS policy before the user has visited the site for a first time. |
| 30 | + |
| 31 | + |
| 32 | +### `headers["content-security-policy"]` |
| 33 | +- Allows control over resources that the user agent is allowed to load for a given page. CSPs help guard agaisnt cross-site scripting attacks. |
| 34 | +#### **Value**: |
| 35 | +- **`__CONTENT_SECURITY_POLICY__`:** |
| 36 | + - Defined as an option in `index.ts`. See **Usage and Default Options** above. |
| 37 | + |
| 38 | +### `headers["x-content-type-options"]` |
| 39 | +- Indicates that the MIME types advertised in the `Content-Type` headers should be respected and not changed. |
| 40 | +#### **Value**: |
| 41 | +- **`nosniff` (boolean):** |
| 42 | + - Option is specified. Blocks a request if request destination is of type `style` and the MIME type is not `test/css` or of type `script` and the MIME type is not a JavaScript MIME type. |
| 43 | + |
| 44 | +### `headers["x-frame-options"]` |
| 45 | +- Indicates whether a browser should be allowed to render a page in a `<frame>`, `<iframe>`, `<embed>` or `<object>`. Helps to avoid clickjacking attacks by ensuring content is not embedded into other sites. |
| 46 | +#### **Value Directives**: |
| 47 | +- **`DENY`(boolean, optional):** |
| 48 | + - Option is specified. The page cannot be displayed in a frame, regardless of the site attempting to do so. |
| 49 | + |
| 50 | +- **`SAMEORIGIN`(boolean, optional):** |
| 51 | + - The page can only be displayed if all ancestor frames are same origin to the page itself. |
0 commit comments