Strict-Transport-Security on CloudFront with S3 origin?

amazon-web-services amazon-s3 ssl amazon-cloudfront

My company's site has a static homepage for speed and cost reasons. We use S3 as the origin for CloudFront. Now, we would like to declare Strict-Transport-Security for the entire domain, but S3 seems to not send any headers we specify (beyond ones starting with like x-aws--). CloudFront doesn't seem to have any custom header option either.

Is this possible?


Solution 1:

David's answer points to the docs, which boil down to:

  1. Create a Lambda function like so. Note that Lambda@Edge has a limited set of runtimes and some additional constraints compared to other Lambda functions. For example, all functions must be created in us-east-1 - CloudFront will automagically replicate them to other regions - layers are not supported, and all triggers must use an explicit ARN - no aliases, or using $LATEST.
'use strict';
exports.handler = (event, context, callback) => {
  const response = event.Records[0].cf.response;
  const headers = response.headers;

  headers['strict-transport-security'] = [{
    key: 'Strict-Transport-Security',
    /* 
     * verify that max-age and 'includeSubdomains' are the settings you want
     */
    value: 'max-age=31536000; includeSubdomains; preload' 
  }];

  callback(null, response);
};
  1. Publish a version and deploy it to Lambda@Edge. You cannot use $LATEST or an alias for the next step.
  2. Associate the published function version with a CloudFront distribution. If this is a one-off task, it's probably easier to do it via the Lambda console. If you want to associate your function with multple distributions, it's probably easier to use the CloudFront console.

  3. You'll want to set the event type as origin-response (between S3 and the cache) or viewer-response (between cache and browser), and specify the ARN with the version you published above - e.g.

    arn:aws:lambda:us-east-1:1234567890:function:MY-FUNCTION-NAME:v1

  4. Wait for the distribution to update and test that the headers are present in the response

Solution 2:

You can now add HTTP response headers natively in CloudFront (including HSTS), without modifying your origin or writing a function. Create a new response headers policy with your configuration, then attach the policy to one or more cache behaviors.

Documentation is available here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html

Related

How to Accelerate Firewalld or should it be abandoned for nftables instead?
Transfer files from a non-host machine to a docker container and vice versa
How to persist ethtool settings through reboot on debian 8
Whitelist both IPv4 and IPv6 in AWS Security Group
How to move files between Ubuntu and iPhone
Ubuntu 14.04 draining laptop battery quicker than in 12.04 (1 hour versus 4+ hours)
How can I access Windows files from Ubuntu
Do you ever have to do any regular maintenance?
Disable sudo permission to user from command line
From Screenshot to "edit Image"
How do I make Update Manager stop opening automatically?
snap - how to grant permanent permission to read folder