How do I add HTTP security headers to CloudFront responses?

2 minute read

I want to add HTTP security headers to Amazon CloudFront responses. How can I do this?

Short description

HTTP Security headers improve the privacy and security of a web application and protect it from vulnerabilities at the client side. The most common HTTP security headers are:

CloudFront response header policies allow you to add one or more HTTP security headers to a response from CloudFront.


You can use the managed security headers response policy that includes pre-defined values for the most common HTTP security headers. Or, you can create a custom response header policy with custom security headers and values that can be added to the required CloudFront behavior.

Create a custom response headers policy from AWS console

  1. Open the CloudFront console.
  2. From the navigation menu, choose Policies. Then, choose Response headers.
  3. Choose Create response headers policy.
  4. Under Security headers, select each of the security headers that you want to add to the policy. Add or select the required values for each header.
  5. Under Custom headers, add the custom security headers and values that you want CloudFront to add to the responses.
  6. Fill out other fields as required. Then, select Create.

Attach response headers policy to a cache behavior

After you create a response headers policy, attach it to a cache behavior in a CloudFront distribution. To attach a managed or custom security headers response policy to an existing CloudFront distribution:

  1. Open the CloudFront console.
  2. Choose the distribution you want to update.
  3. Under the Behaviors tab, select the cache behavior you want to modify. Then, choose Edit.
  4. For Response headers policy, choose SecurityHeadersPolicy or choose the custom policy that you created.
  5. Choose Save changes.

The following is an example of CloudFront response with HTTP security response headers :

curl -I

HTTP/2 200

content-type: text/html

content-length: 9850

vary: Accept-Encoding

date: xxxxxxxxx

last-modified: xxxxxxx

etag: "c59c5ef71f3350489xxxxxxxxxx"

x-amz-server-side-encryption: AES256

cache-control: no-store, no-cache, private

x-amz-version-id: null

accept-ranges: bytes

server: AmazonS3

x-xss-protection: 1; mode=block

x-frame-options: SAMEORIGIN

referrer-policy: strict-origin-when-cross-origin

x-content-type-options: nosniff

strict-transport-security: max-age=31536000

x-cache: Miss from cloudfront

via: 1.1 (CloudFront)

x-amz-cf-pop: BOS50-C3

x-amz-cf-id: nHNANTZYdkQkE5BmsqlisPTiodFhVCK-Sf9Zp4iJzNs04eWi1_hEig==

AWS OFFICIALUpdated 2 years ago