Skip to main content
  1. Posts/

Add Security Headers CloudFront

·2 mins·
aws aws
Table of Contents

Menambahkan beberapa header respons HTTP terkait keamanan pada distribusi CloudFront, seperti HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, dan X-XSS-Protection

Create distribution
#

Seperti biasa buat terlebih dahulu distribusi cloudfront

aws cloudfront create-distribution \
--origin-domain-name awsexamplebucket.s3.amazonaws.com \
--default-root-object index.html

Create functions
#

Git repository aws-sample

git clone https://github.com/aws-samples/amazon-cloudfront-functions.git

Edit file index.js pada folder add-security-headers

function handler(event) {
    var response = event.response;
    var headers = response.headers;

    // Set HTTP security headers
    // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation
    headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'};
    headers['x-content-type-options'] = { value: 'nosniff'};
    headers['x-frame-options'] = {value: 'SAMEORIGIN'};
    headers['x-xss-protection'] = {value: '1; mode=block'};
    headers['referrer-policy'] = {value: 'same-origin'};

    // Return the response to viewers
    return response;
}

Selanjutnya create function dengan perintah berikut

aws cloudfront create-function --name add-security-headers \
--function-config Comment="",Runtime="cloudfront-js-1.0" \
--function-code fileb://amazon-cloudfront-functions/add-security-headers/index.js

Publish function agar dapat dikaitkan dengan distribusi

aws cloudfront publish-function --name add-security-headers --if-match ETVXXXX

Associated distributions
#

Jika function sudah dipublish. selanjutnya export config distribusi

aws cloudfront get-distribution-config --id E1S7DD048XXXXX --output json > dist-config.json

Edit bagian FunctionAssociations pada file dist-config.json

            "FunctionAssociations": {
                "Quantity": 1,
                "Items": [
                    {
                        "FunctionARN": "arn:aws:cloudfront::0123456789012:function/add-security-headers",
                        "EventType": "viewer-response"
                    }
                ]
            },

Lalu update distribusi

aws cloudfront update-distribution --id E1S7DD048XXXXX --if-match ER61LHDOXXXXX \
--cli-input-json fileb://dist-config.json

Tunggu proses deploying lalu test dengan command CURL

$ curl -I d1iq4pm6ncrv8z.cloudfront.net
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 28833
Connection: keep-alive
Date: Wed, 18 Jan 2023 15:02:44 GMT
Last-Modified: Wed, 11 Jan 2023 03:55:23 GMT
Etag: "faaa9135b0dbbe204ebea6db87d87137"
Accept-Ranges: bytes
Server: AmazonS3
Via: 1.1 5222092a3a10e1d8270e47e821db1ef4.cloudfront.net (CloudFront)
Age: 8598
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Referrer-Policy: same-origin
X-Cache: Hit from cloudfront
X-Amz-Cf-Pop: SIN5-C1
X-Amz-Cf-Id: vG71D351dCtAqhw7-VFfPvPAz2592tygNJF-WTPWZtd2QSgslcna3A==

Related

Add Function di Amazon CloudFront
·2 mins
aws aws
Setup AWS CloudFront distribution dengan S3 Origin
·2 mins
aws aws
Request ACM Certificate dengan Validasi Email
·1 min
aws aws
Request Public Certificate dengan ACM
·1 min
aws aws
Setting Alternate Domain Cloudfront
·2 mins
aws aws
Setting static website Amazon S3
·2 mins
aws aws