Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(CloudFrontToS3): defaults - use cloudfront function instead of lambda@edge for response security headers #233

Closed
2 tasks
naseemkullah opened this issue Jun 25, 2021 · 7 comments
Closed
2 tasks

(CloudFrontToS3): defaults - use cloudfront function instead of lambda@edge for response security headers #233

naseemkullah opened this issue Jun 25, 2021 · 7 comments
Assignees
@hnishar
Labels
feature-request A feature should be added or improved needs-triage The issue or PR still needs to be triaged

Comments

@naseemkullah
Copy link
Contributor

Use https://github.com/aws-samples/amazon-cloudfront-functions/blob/main/add-security-headers/index.js for the response security header configuration default instead of lambda@edge

Use Case

See https://github.com/aws-samples/amazon-cloudfront-functions#overview for why this is an improved approach.

Proposed Solution

Replace the default lambda at edge function with the following cloudfront function https://github.com/aws-samples/amazon-cloudfront-functions/blob/main/add-security-headers/index.js

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@naseemkullah naseemkullah added feature-request A feature should be added or improved needs-triage The issue or PR still needs to be triaged labels Jun 25, 2021
@biffgaut
Copy link
Contributor

We agree - we already have an internal task looking at making this replacement! :-)

@naseemkullah
Copy link
Contributor Author

Great to hear @biffgaut!

@naseemkullah
Copy link
Contributor Author

@biffgaut can you confirm that the function would be appended to any user defined functions in defaultBehavior.functionAssociations ?

@naseemkullah
Copy link
Contributor Author

One more request 😄 ... that the CSP header values be configurable as mentioned in https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-security-headers#add-http-security-headers

Important: Adjust the CSP policy to your specific needs.

Same goes for X-Frame-Options and X-XSS-Protection, though if this is out of scope for the insertHttpSecurityHeaders option, one can merely disable the option and copy paste and adjust https://github.com/aws-samples/amazon-cloudfront-functions/blob/main/add-security-headers/index.js to suit one's needs.

@biffgaut
Copy link
Contributor

Hitendra Nishar is looking at this on our end, I've pinged him to ensure he sees your notes. Our primary goal is to not break existing code, but adding additional optional props is possible.

@naseemkullah
Copy link
Contributor Author

naseemkullah commented Jun 28, 2021
edited
Loading

Hi @hnishar!

For some context, we had to disable the default function (and pass in our own custom security headers cloudfront function based on https://github.com/aws-samples/amazon-cloudfront-functions/blob/main/add-security-headers/index.js), I expect the same for other organizations.

What would make this truly usable is a nice interface for adjusting the various headers, in particular those that https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-security-headers#add-http-security-headers mention important to adjust to one's specific needs.

@biffgaut biffgaut mentioned this issue Jul 19, 2021
Closed
@ranrotx
Copy link

ranrotx commented Jul 21, 2021

I'm not sure if this should be a separate issue, but it would be great to be able to leverage CloudFront Functions for re-writing vanity URLs (such as example.com/about or example.com/about/) to reference a valid key when fetching via the REST API from S3 as required when using CloudFront Origin Access Identity.

hnishar added a commit that referenced this issue Jul 23, 2021
@hnishar
fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge) (
96e0f47 
…#233)
@hnishar hnishar mentioned this issue Jul 23, 2021
Merged
@hnishar hnishar linked a pull request Jul 23, 2021 that will close this issue
fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge) #272
Merged
hnishar added a commit that referenced this issue Jul 24, 2021
@hnishar
fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge) (
28ea163 
…#272)

* fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge) (#233)

* fix (generate stable functionId for the cloudfront function)
@hnishar hnishar mentioned this issue Aug 7, 2021
Merged
@hnishar hnishar removed a link to a pull request Aug 7, 2021
fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge) #272
Merged
@kpeters-cbsi kpeters-cbsi mentioned this issue Oct 28, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hnishar hnishar

Labels
feature-request A feature should be added or improved needs-triage The issue or PR still needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ranrotx @hnishar @naseemkullah @biffgaut