Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I add HTTP security headers to CloudFront responses?
I want to add HTTP security headers to Amazon CloudFront responses.
Short description
HTTP security headers improve the privacy and security of a web application and protect it from vulnerabilities. See the following list for common HTTP security headers:
- Referrer Policy on the Mozilla website
- HTTP Strict Transport Security (HSTS) on the Mozilla website
- Content Security Policy (CSP) on the Mozilla website
- X-Content-Type-Options on the Mozilla website
- X-Frame-Options on the Mozilla website
- X-XSS-Protection on the Mozilla website
CloudFront response headers policies allow you to add one or more HTTP security headers to a response from CloudFront.
Resolution
You can use managed response headers policies that include pre-defined values for the most common HTTP security headers. Or, you can create a custom response header policy with custom security headers and values that you can add to the required CloudFront behavior.
Attach a response headers policy to a cache behavior
After you create a response headers policy, attach it to a cache behavior in a CloudFront distribution. To attach a managed or custom security headers response policy to an existing CloudFront distribution, complete the following steps:
- Open the CloudFront console.
- Choose the distribution that you want to update.
- Under the Behaviors tab, select the cache behavior that you want to modify. Then, choose Edit.
- For Response headers policy, choose SecurityHeadersPolicy. Or, choose the custom policy that you created.
- Choose Save changes.
See the following example of a CloudFront response with HTTP security response headers:
curl -I https://dxxxxxxxbai33q.cloudfront.net HTTP/2 200 content-type: text/html content-length: 9850 vary: Accept-Encoding date: xxxxxxxxx last-modified: xxxxxxx etag: "c59c5ef71f3350489xxxxxxxxxx" x-amz-server-side-encryption: AES256 cache-control: no-store, no-cache, private x-amz-version-id: null accept-ranges: bytes server: AmazonS3 x-xss-protection: 1; mode=block x-frame-options: SAMEORIGIN referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff strict-transport-security: max-age=31536000 x-cache: Miss from cloudfront via: 1.1 12142717248e0e7148a5c1a9151ab918.cloudfront.net (CloudFront) x-amz-cf-pop: BOS50-C3 x-amz-cf-id: nHNANTZYdkQkE5BmsqlisPTiodFhVCK-Sf9Zp4iJzNs04eWi1_hEig==
Create a custom response headers policy from the CloudFront console
- Open the CloudFront console.
- From the navigation menu, choose Policies. Then, choose Response headers.
- Choose Create response headers policy.
- Under Security headers, select each of the security headers that you want to add to the policy. Add or select the required values for each header.
- Under Custom headers, add the custom security headers and values that you want CloudFront to add to the responses.
- Fill out other fields as required. Then, select Create.
- Language
- English
Relevant content
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
