Improving security by enabling security specific headers - Secure Content Delivery with Amazon CloudFront

Improving security by enabling security specific headers

To improve the security of your content, you can use HTTP security headers that are natively supported by the HTTP protocol and most modern browsers. These security headers tell the browser how to behave when handling website content. They can do things such as enforced communications over HTTPS, or defining from where JavaScript content can be loaded.

The Open Web Application Security Project (OWASP), provides guidance on the implementation of HTTP security headers to improve the security of your application, through its secure headers project, the latest guidance includes examples and best practices.

Security headers are commonly implemented using the web application configuration, but when that is not possible, they can be added as part of the request-handling process in CloudFront by modifying the origin response using a Lambda@edge function. An example implementation is shared in this blog post. This solution adds the headers to the origin response, keeps that cached in CloudFront, and updates it every time content is refreshed.

Another consideration for enhanced security using HTTP headers is the appropriate configuration of Cross-origin resource sharing (CORS). In modern applications, the use of cross-domain resources is a necessity. The default restriction from browsers that only allows content from the same origin is impractical. To allow requests that have different origins (domain, protocol, or port), CORS must be enabled.

A number of HTTP headers relate to CORS, but two response headers are most important for security:

  • Access-Control-Allow-Origin specifies which domains can access a site.

  • Access-Control-Allow-Methods specifies which HTTP request methods (GET, PUT, DELETE, and others) can be used to access resources.

To implement CORS securely, you must associate a validation list with Access-Control-Allow-Origin header that identifies which specific domains can access resources. Then your application can validate against this list when a domain requests access.