interface ResponseHeadersXSSProtection
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.CloudFront.ResponseHeadersXSSProtection |
 Java | software.amazon.awscdk.services.cloudfront.ResponseHeadersXSSProtection |
 Python | aws_cdk.aws_cloudfront.ResponseHeadersXSSProtection |
 TypeScript (source) | @aws-cdk/aws-cloudfront » ResponseHeadersXSSProtection |
Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value.
Example
// Using an existing managed response headers policy
declare const bucketOrigin: origins.S3Origin;
new cloudfront.Distribution(this, 'myDistManagedPolicy', {
defaultBehavior: {
origin: bucketOrigin,
responseHeadersPolicy: cloudfront.ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS,
},
});
// Creating a custom response headers policy -- all parameters optional
const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
responseHeadersPolicyName: 'MyPolicy',
comment: 'A default policy',
corsBehavior: {
accessControlAllowCredentials: false,
accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
accessControlAllowMethods: ['GET', 'POST'],
accessControlAllowOrigins: ['*'],
accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
accessControlMaxAge: Duration.seconds(600),
originOverride: true,
},
customHeadersBehavior: {
customHeaders: [
{ header: 'X-Amz-Date', value: 'some-value', override: true },
{ header: 'X-Amz-Security-Token', value: 'some-value', override: false },
],
},
securityHeadersBehavior: {
contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
contentTypeOptions: { override: true },
frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
},
});
new cloudfront.Distribution(this, 'myDistCustomPolicy', {
defaultBehavior: {
origin: bucketOrigin,
responseHeadersPolicy: myResponseHeadersPolicy,
},
});
Properties
| Name | Type | Description |
|---|---|---|
| override | boolean | A Boolean that determines whether CloudFront overrides the X-XSS-Protection HTTP response header received from the origin with the one specified in this response headers policy. |
| protection | boolean | A Boolean that determines the value of the X-XSS-Protection HTTP response header. |
| mode | boolean | A Boolean that determines whether CloudFront includes the mode=block directive in the X-XSS-Protection header. |
| report | string | A reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header. |
override
Type:
boolean
A Boolean that determines whether CloudFront overrides the X-XSS-Protection HTTP response header received from the origin with the one specified in this response headers policy.
protection
Type:
boolean
A Boolean that determines the value of the X-XSS-Protection HTTP response header.
When this setting is true, the value of the X-XSS-Protection header is 1. When this setting is false, the value of the X-XSS-Protection header is 0.
modeBlock?
Type:
boolean
(optional, default: false)
A Boolean that determines whether CloudFront includes the mode=block directive in the X-XSS-Protection header.
reportUri?
Type:
string
(optional, default: no report uri)
A reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header.
You cannot specify a ReportUri when ModeBlock is true.