serverless-components
Adding custom security headers
In case I'd like to add some custom headers like X-Frame-Options or Content-Security-Policy, it seems my only option is to add a CloudFront function or a Lambda@Edge function, as per the following resources:
- https://stackoverflow.com/questions/33144580/configuring-x-frame-options-response-header-on-aws-cloudfront-and-s3
- https://stackoverflow.com/questions/69227820/add-x-frame-options-header-to-all-urls-using-cloudfront-functions
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-add-security-headers.html
- https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-security-headers
I'd like to be able to set something like:
component: website
name: my-website
inputs:
src: ./src
domain: serverless.com
bucketName: my-bucket
headers:
X-Frame-Options: DENY
I can try to help with a PR for this, but I'd appreciate some pointers on whether this is something you'd be interested in supporting, since there's only one other similar request and I couldn't find anything for custom headers in the code (only this hints at it, but it isn't the same thing)
@eahefnawy / @ac360 I've noticed there hasn't been much activity here for almost a year. Let me know if there's a better component/thing to use instead! Thanks.
AWS introduces response headers policies, when I modified it from cloudfront console and deploy again, ResponseHeadersPolicyId field got removed.
Hi, thanks for sharing the use case. That is an interesting feature request. To clarify a bit, note that there are no plans to implement (or review/test/merge a PR) that feature in the coming months.
