Feature/md 7071 set security headers

[marns93]

@felix11h FYI
We added additional security headers for our websites.

[zyv]

I think it would be important to check whether this overrides cache-control or not.

[marns93]

I will not override the other settings.
But we have to check if it works like it is, because during the upload x-amz-meta- will be added automatically as a prefix...

[zyv]

Maybe S3 doesn't support it in the first place? Interestingly CloudFront advises to go for Lambda:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-add-security-headers.html

[marns93]

So another option would be a CloudFront function, which returns the headers for the response. But we will execute the function for every response for the app... :(
Will check what options we have.

[marns93]

:D @zyv Same comment and idea.

[marns93]

I think a better option would be adding response headers policy with CloudFront.
@zyv WDYT?

[zyv]

But we will execute the function for every response for the app... :(

Yes, but this with Lambda@Edge I think is annoying, but non-factor in terms of both costs and performance.

[zyv]

Oh wow, this is cool. Do you have a link to the docs?

[marns93]

Oh wow, this is cool. Do you have a link to the docs?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/understanding-response-headers-policies.html#understanding-response-headers-policies-security

There are some pre-defined ones, which are not exactly what we need, but we can create our custom one.

https://us-east-1.console.aws.amazon.com/cloudfront/v4/home#/policies/responseHeaders/create

[marns93]

So we will close this PR and create a new one in moneymeets-pulumi by settings the response headers with CloudFront. There are more security headers we could set, which can be discussed.

[marns93]

Close this PR, because we can't set the headers with the expected names. We will add a custom response policy to our CloudFront distribution. (#8 (comment))