Improving security by enabling security specific headers
To improve the security of your content, you can use HTTP security headers that are natively supported by the HTTP protocol and most modern browsers. These security headers tell the browser how to behave when handling website content. They can do things such as enforced communications over HTTPS, or defining from where JavaScript content can be loaded.
The Open Web Application
Security Project
Security headers are commonly implemented using the web application configuration, but
alternatively you can configure CloudFront to add those security response headers for your
application if required. CloudFront provides this configuration through a response headers
policy, and it comes with some managed policies that already has security headers such as
Strict-Transport-Security
, X-Frame-Options
, X-Content-Type-Options
, and so on.
Another consideration for enhanced security using HTTP headers is the appropriate configuration of Cross-origin resource sharing (CORS). In modern applications, the use of cross-domain resources is a necessity. The default restriction from browsers that only allows content from the same origin is impractical. To allow requests that have different origins (domain, protocol, or port), CORS must be enabled.
A number of HTTP headers relate to CORS, but two response headers are most important for security:
-
Access-Control-Allow-Origin
specifies which domains can access a site. -
Access-Control-Allow-Methods
specifies which HTTP request methods (GET
,PUT
,DELETE
, and others) can be used to access resources.
CloudFront support the configuration of these CORS response headers with the response headers policy. You can choose to use managed policies, or you can customize CORS behavior to allow only a specific origin web site to use the resources that you’re sharing.
To understand more about configuring the response headers policy, refer the Amazon CloudFront Developer Guide.