Skip to content

Instantly share code, notes, and snippets.

@d4gh0s7
Last active September 3, 2020 05:37
Show Gist options
  • Save d4gh0s7/4219c3c9b5ebd2c936389d120999d9a9 to your computer and use it in GitHub Desktop.
Save d4gh0s7/4219c3c9b5ebd2c936389d120999d9a9 to your computer and use it in GitHub Desktop.
Security Headers with AWS Lambda@Edge
'use strict';
exports.handler = async (event, context, callback) => {
const response = event.Records[0].cf.response;
const headers = response.headers;
headers['Strict-Transport-Security'] = [{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload',
}];
headers['X-XSS-Protection'] = [{
key: 'X-XSS-Protection',
value: '1; mode=block',
}];
headers['X-Content-Type-Options'] = [{
key: 'X-Content-Type-Options',
value: 'nosniff',
}];
headers['X-Frame-Options'] = [{
key: 'X-Frame-Options',
value: 'SAMEORIGIN',
}];
headers['Referrer-Policy'] = [{ key: 'Referrer-Policy', value: 'no-referrer-when-downgrade' }];
headers['Content-Security-Policy'] = [{
key: 'Content-Security-Policy',
value: 'upgrade-insecure-requests;',
}];
// Craft the Feature Policy params based on your needs.
// The settings below are very restrictive and might produce undesiderable results
headers['Feature-Policy'] = [{
key: 'Feature-Policy',
value: 'geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker self; vibrate none; fullscreen self; payment none;',
}];
// The Expect-CT header is still experimental. Uncomment the code only if you have a report-uri
// You may refer to report-uri.com to setup an account and set your own URI
// headers['Expect-CT'] = [{
// key: 'Expect-CT',
// value: 'max-age=86400, enforce, report-uri="https://{{ your_subdomain }}report-uri.com/r/d/ct/enforce'",
// }];
callback(null, response);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment