Improving security by enabling security specific headers
To improve the security of your content, you can use HTTP security headers that are natively supported by the HTTP protocol and most modern browsers. These security headers tell the browser how to behave when handling website content. They can do things such as enforced communications over HTTPS, or defining from where JavaScript content can be loaded.
The Open Web Application
Security Project
Security headers are commonly implemented using web application configurations, but
alternatively you can configure CloudFront to add these security response headers for your
application if required. CloudFront provides this configuration through a response headers
policy, and it comes with some managed policies that already have security headers such as
Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and so on.
Another consideration for enhanced security using HTTP headers is the use of Cross-origin resource sharing (CORS). In modern applications, the use of
cross-domain resources is common. Browsers will allow certain
content from the same origin (domain). To allow requests that have different origins
(domain, protocol, or port), CORS must be enabled. For more information on which browser requests require CORS, see
What requests use CORS
A number of HTTP headers relate to CORS, but two response headers are most important for security:
-
Access-Control-Allow-Originspecifies which origin can access a site. -
Access-Control-Allow-Methodsspecifies which HTTP request methods (GET,PUT,DELETE, and others) can be used to access resources.
CloudFront supports the configuration of these CORS response headers with a response headers policy. You can choose to use managed policies, or you can customize CORS behaviors to allow only a specific origin web site to use the resources that you’re sharing.
To understand more about configuring the response headers policy, refer the Amazon CloudFront Developer Guide.
