Improving security by enabling security specific headers
To improve the security of your content, you can use HTTP security headers that are natively supported by the HTTP protocol and most modern browsers. These security headers tell the browser how to behave when handling website content. They can do things such as enforced communications over HTTPS, or defining from where JavaScript content can be loaded.
The Open Web Application
Security Project
Security headers are commonly implemented using the web application configuration, but
when that is not possible, they can be added as part of the request-handling process in CloudFront
by modifying the origin response using a Lambda@edge function. An example implementation is
shared in this blog post
Another consideration for enhanced security using HTTP headers is the appropriate
configuration of Cross-origin resource sharing
A number of HTTP headers relate to CORS, but two response headers are most important for security:
-
Access-Control-Allow-Origin
specifies which domains can access a site. -
Access-Control-Allow-Methods
specifies which HTTP request methods (GET
,PUT
,DELETE
, and others) can be used to access resources.
To implement CORS securely, you must associate a validation list with Access-Control-Allow-Origin
header that identifies which specific domains can
access resources. Then your application can validate against this list when a domain requests
access.