bep
Security-related Headers in s3deploy.yml?
Hi - in the s3deploy.yml the readme shows examples of adding caching and gzip headers. Will it also work for security-related headers like this?
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin
I don't see why not. I have not used these header for that purpose (yet), but they get passed ass key/values to S3, and I assume that S3 does the same when it's fetched.
Ok, tried it but it does nothing, FYI. Looks like the headers you can set in S3 are limited, and you have to use a lambda@edge function with cloudfront to inject them. https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/
(if you are using netlify for instance, it has a way to set the headers like you would do with an .htaccess file with apache)
CloudFront now natively supports adding security response headers at the distribution level. That has been a good workaround for me: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/
Thanks for the tip :)
-- Rick Cogley Cell: 090-9959-5452 (from mobile)
On Dec 12, 2021, at 5:58, Ben Limmer @.***> wrote:
CloudFront now natively supports adding security response headers at the distribution level. That has been a good workaround for me: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
I got reminded about this when upgrading the AWS sdk to v2. S3 only supports a set of predefined headers. In v1, other headers just gets dropped, in v2 they are stored, but prefixed with x-amz-.
