Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Add HTTP Security Headers to Cloudfront with Lambda@Edge.
'use strict';
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response;
const headers = response.headers;
// Add security headers
const securityHeaders = [
'value': 'max-age=31536000',
'key': 'Strict-Transport-Security'
'value': 'deny',
'key': 'X-Frame-Options'
'value': '1; mode=block',
'key': 'X-XSS-Protection'
'value': 'nosniff',
'key': 'X-Content-Type-Options'
'value': 'strict-origin-when-cross-origin',
'key': 'Referrer-Policy'
// Add all headers of the array to the response object in the correct format
for(let header of securityHeaders) {
headers[header[0].key.toLowerCase()] = header;
callback(null, response);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment