A quick demonstration of using Lamba@Edge to inject extra HTTP Security/Cache Headers

lambda-at-edge-headers.js

'use strict';
exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;
    const headers = response.headers;

    var hr = {
        'Strict-Transport-Security': 'max-age=600;',
        'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
        'Pragma': 'no-cache',
        'X-LambdaAtEdge': 'true'
    };

    for (var key in hr){
        headers[key.toLowerCase()] = [ 
            { key: key, value: hr[key]} 
        ];
    }
    
    callback(null, response);
};