Add Security Headers CloudFront

Menambahkan beberapa header respons HTTP terkait keamanan pada distribusi CloudFront, seperti HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, dan X-XSS-Protection

Create distribution

Seperti biasa buat terlebih dahulu distribusi cloudfront

aws cloudfront create-distribution \
--origin-domain-name awsexamplebucket.s3.amazonaws.com \
--default-root-object index.html

Create functions

Git repository aws-sample

git clone https://github.com/aws-samples/amazon-cloudfront-functions.git

Edit file index.js pada folder add-security-headers

function handler(event) {
    var response = event.response;
    var headers = response.headers;

    // Set HTTP security headers
    // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation
    headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'};
    headers['x-content-type-options'] = { value: 'nosniff'};
    headers['x-frame-options'] = {value: 'SAMEORIGIN'};
    headers['x-xss-protection'] = {value: '1; mode=block'};
    headers['referrer-policy'] = {value: 'same-origin'};

    // Return the response to viewers
    return response;
}

Selanjutnya create function dengan perintah berikut

aws cloudfront create-function --name add-security-headers \
--function-config Comment="",Runtime="cloudfront-js-1.0" \
--function-code fileb://amazon-cloudfront-functions/add-security-headers/index.js

Publish function agar dapat dikaitkan dengan distribusi

aws cloudfront publish-function --name add-security-headers --if-match ETVXXXX

Associated distributions

Jika function sudah dipublish. selanjutnya export config distribusi

aws cloudfront get-distribution-config --id E1S7DD048XXXXX --output json > dist-config.json

Edit bagian FunctionAssociations pada file dist-config.json

            "FunctionAssociations": {
                "Quantity": 1,
                "Items": [
                    {
                        "FunctionARN": "arn:aws:cloudfront::0123456789012:function/add-security-headers",
                        "EventType": "viewer-response"
                    }
                ]
            },

Lalu update distribusi

aws cloudfront update-distribution --id E1S7DD048XXXXX --if-match ER61LHDOXXXXX \
--cli-input-json fileb://dist-config.json

Tunggu proses deploying lalu test dengan command CURL

$ curl -I d1iq4pm6ncrv8z.cloudfront.net
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 28833
Connection: keep-alive
Date: Wed, 18 Jan 2023 15:02:44 GMT
Last-Modified: Wed, 11 Jan 2023 03:55:23 GMT
Etag: "faaa9135b0dbbe204ebea6db87d87137"
Accept-Ranges: bytes
Server: AmazonS3
Via: 1.1 5222092a3a10e1d8270e47e821db1ef4.cloudfront.net (CloudFront)
Age: 8598
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Referrer-Policy: same-origin
X-Cache: Hit from cloudfront
X-Amz-Cf-Pop: SIN5-C1
X-Amz-Cf-Id: vG71D351dCtAqhw7-VFfPvPAz2592tygNJF-WTPWZtd2QSgslcna3A==