Reputation: 1
AWS Security Response Header configuration difficulity
I need help, I am stuck, why isn't this working anywhere? What am I missing? Need an easy (hopefully inexpensive) solution.
My website fails the Mozilla Observatory Header test and I have been trying to add a simple response header such as X-Frame-Options: Deny via the WAF, Cloudfront, LamdaEdge and nothing seems to work. I look at the code on the website and nothing seems to work. I must be missing something very simple.
WAF • Added an ACL with managed, 3rd party (OWASP top 10 rules), tried setting up custom response headers rules using rule builder, to the Application Load balancer, CloudFront Distribution but no luck when testing.
CloudFront
• Added an AWS Managed SecurityHeaderPolicy as part of the response header policy as a behavior for a CloudFront Distribution with no luck when testing.
• Tried a custom security policy with just one response header response for X-Frame-Options: Deny and still no luck when testing. (Note, I added the policy within the same cache policy set for optimization)
LamdaEdge Added Modify “HTTP Response Header” function against an existing CloudFront distribution with an Amazon S3 origin with no success. Created a CloudFront trigger and changed the code :
'use strict';
exports.handler = (event, context, callback) => {
//Get contents of response
const response = event.Records[0].cf.response;
const headers = response.headers;
//Set new headers
headers['strict-transport-security'] = [{key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubdomains; preload'}];
headers['x-content-type-options'] = [{key: 'X-Content-Type-Options', value: 'nosniff'}];
headers['x-frame-options'] = [{key: 'X-Frame-Options', value: 'DENY'}];
headers['x-xss-protection'] = [{key: 'X-XSS-Protection', value: '1; mode=block'}];
headers['referrer-policy'] = [{key: 'Referrer-Policy', value: 'same-origin'}];
//Return modified response
callback(null, response);
};
I made sure that the CloudFront Distribution behavior policy has the LabdaEdge origin response field populated with the correct Function ARN.
Thank You, Edward
Upvotes: 0
Views: 535
Answers (1)
Reputation: 11
Since you only mentioned X-Frame-Options, I am going to assume that by "failing" you mean it is failing that specific test". Without more details its tough to say whether there is any issue in your configurations. However, its possible its something to do with the scanner itself. In Observatory there is an option to ignore cache results otherwise Mozilla will just give you the same results as before (for 24 hours) despite your changes. Screenshot Mozilla Observatory Its possible you were getting cached results if you tested shortly after making changes.
I just ran my website through the scan and it picked up my secure X-Frame header, which I set up through a custom policy in CloudFront as well.
Upvotes: 0
Related Questions
- Apache and AWS HTTP to HTTPS Header Issue
- Why CloudFront not deliver content-security-policy set in ResponseHeadersPolicy (2022)
- AWS cloudfront add custom header without using Lambda@Edge
- Prevent "clickjacking" aka "UI redress attack" through AWS security web services
- AWS Cognito google signin received x-cache: Error from cloudfront
- How to set response headers in serverless.yml?