Security-related Headers in s3deploy.yml?

[RickCogley]

Hi - in the s3deploy.yml the readme shows examples of adding caching and gzip headers. Will it also work for security-related headers like this?

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin

[bep]

I don't see why not. I have not used these header for that purpose (yet), but they get passed ass key/values to S3, and I assume that S3 does the same when it's fetched.

[RickCogley]

Ok, tried it but it does nothing, FYI. Looks like the headers you can set in S3 are limited, and you have to use a lambda@edge function with cloudfront to inject them. https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/

(if you are using netlify for instance, it has a way to set the headers like you would do with an .htaccess file with apache)

[blimmer]

CloudFront now natively supports adding security response headers at the distribution level. That has been a good workaround for me: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/

[RickCogley]

Thanks for the tip :)

…

-- Rick Cogley Cell: 090-9959-5452 (from mobile)

On Dec 12, 2021, at 5:58, Ben Limmer ***@***.***> wrote:  CloudFront now natively supports adding security response headers at the distribution level. That has been a good workaround for me: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/ — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[bep]

I got reminded about this when upgrading the AWS sdk to v2. S3 only supports a set of predefined headers. In v1, other headers just gets dropped, in v2 they are stored, but prefixed with x-amz-.