Improving security by enabling security specific headers - Secure Content Delivery with Amazon CloudFront

Improving security by enabling security specific headers

To improve the security of your content, you can use HTTP security headers that are natively supported by the HTTP protocol and most modern browsers. These security headers tell the browser how to behave when handling website content. They can do things such as enforced communications over HTTPS, or defining from where JavaScript content can be loaded.

The Open Web Application Security Project (OWASP), provides guidance on the implementation of HTTP security headers to improve the security of your application, through its secure headers project, the latest guidance includes examples and best practices.

Security headers are commonly implemented using the web application configuration, but alternatively you can configure CloudFront to add those security response headers for your application if required. CloudFront provides this configuration through a response headers policy, and it comes with some managed policies that already has security headers such as Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and so on.

Another consideration for enhanced security using HTTP headers is the appropriate configuration of Cross-origin resource sharing (CORS). In modern applications, the use of cross-domain resources is a necessity. The default restriction from browsers that only allows content from the same origin is impractical. To allow requests that have different origins (domain, protocol, or port), CORS must be enabled.

A number of HTTP headers relate to CORS, but two response headers are most important for security:

  • Access-Control-Allow-Origin specifies which domains can access a site.

  • Access-Control-Allow-Methods specifies which HTTP request methods (GET, PUT, DELETE, and others) can be used to access resources.

CloudFront support the configuration of these CORS response headers with the response headers policy. You can choose to use managed policies, or you can customize CORS behavior to allow only a specific origin web site to use the resources that you’re sharing.

To understand more about configuring the response headers policy, refer the Amazon CloudFront Developer Guide.