Handel custom header in AWS API Gateway ?

Question

I have used API gateway to build business logic for my app that invokes lambda function. For security assurance, I have generated a VAT report of the base URL of API from my cyber security expert. A total of 9 Vulnerabilities have been detected including Four Medium, three low-level, and two informational-level vulnerabilities have been identified.

1) (CSP) Wild Card Directive
2) Content Security Policy (CSP) Header Not Set
3) Cross-Domain Misconfiguration 
4) Missing Anti-clickjacking Header
5) Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
6) Timestamp Disclosure – Unix 
7) X-Content-Type-Options Header Missing
8) Charset Mismatch 
9) Re-examine Cache Directives

how can remove these all Vulnerability ?
is there a need to set or define custom headers? ( if yes then where and how I can do that, either be in API Gateway console  or lambda script or in my client or app side code where this API Gateway base URL is invoking ) ?

Accepted Answer

It depends on your requirements and whether you expect the headers to be sent as part of the client request or need to add the headers before the request hits the API Gateway.

If you need to block client requests if some headers are missing, you can associate a WAF ACL with the API Gateway and define rules to block requests without mandatory headers

Look at these two for guidance

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-http-requests-no-user-agent/

If the requirement is that the headers need to be added to the request before the request reaches the API Gateway even if the client did not send the headers, you can do so using Lambda@Edge with a Cloudfront distribution in front of your API Gateway.

Look at these for guidance

https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/ (this example shows response headers but you can use similar concepts to the request headers with some changes)

https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works-tutorial.html

Some examples of Lambda@Edge functions - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

Answer

Lambda@Edge functions with CloudFront work fine for my scenario.
I have added up one additional thing that may more the easiest way to remove security headers vulnerabilities. I have created and deployed the Express app to Lambda

By default, Express.js sends the X-Powered-By response header banner. This can be disabled using the app.disable() method:

```
app.disable('x-powered-by')
```

and also apply headers on the express app

```
app.use(function(req, res, next) {
  res.header('Strict-Transport-Security', `max-age=63072000`);
  res.header('Access-Control-Allow-Origin', `null`);
  res.header('Referrer-Policy', `no-referrer`);
  res.header('Permissions-Policy', `microphone 'none'; geolocation 'none'`);
  res.header('x-frame-options', `DENY`);
  res.header('Content-type', `application/json; charset=UTF-8`);
  res.header('Cache-Control', `no-store`);
  res.header('X-Content-Type-Options', `nosniff`);
  return next();
});
```

Handel custom header in AWS API Gateway ?

Relevant content