Add HTTP Security Headers to Cloudfront with Lambda@Edge.
'use strict'; | |
exports.handler = (event, context, callback) => { | |
const response = event.Records[0].cf.response; | |
const headers = response.headers; | |
// Add security headers | |
const securityHeaders = [ | |
[{ | |
'value': 'max-age=31536000', | |
'key': 'Strict-Transport-Security' | |
}], | |
[{ | |
'value': 'deny', | |
'key': 'X-Frame-Options' | |
}], | |
[{ | |
'value': '1; mode=block', | |
'key': 'X-XSS-Protection' | |
}], | |
[{ | |
'value': 'nosniff', | |
'key': 'X-Content-Type-Options' | |
}], | |
[{ | |
'value': 'strict-origin-when-cross-origin', | |
'key': 'Referrer-Policy' | |
}] | |
]; | |
// Add all headers of the array to the response object in the correct format | |
for(let header of securityHeaders) { | |
headers[header[0].key.toLowerCase()] = header; | |
} | |
callback(null, response); | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment