Cloudfront CSP headers limited to 1784 characters

0

Hello all, Recently (November 2nd 2021) AWS Cloudfront started supporting CORS Headers directly, without use of a lambda (https://forums.aws.amazon.com/ann.jspa?annID=8973).

Unfortunately, that does not seem to support more than 1784 characters for the CSP (Content Security Policy) header. The error (from the API using Terraform) if I'm trying to set a bigger than 1784 CSP Header is:

Error: error creating CloudFront Response Headers Policy (anthony-test-web-response-headers-policy): InvalidArgument: The parameter Content-Security-Policy contains header value that is too big.
      status code: 400, request id: xxx-xxxx-xxxxxx

In the website I wish to deploy using CloudFront, I rather need 3x times that limit - Nginx running on EC2 is actually totally OK with such a big CSP header.

Currently I'm thinking on how I can reduce my existing CSP header; but I really wish AWS Cloud Front had a bigger limit.

Any explanation why? Is it a bug I should report to AWS team?

Thanks

5 Answers
1

Hi, Try using CloudFront function rather, it is another alternative to lambda@edge for such use cases. I recently used it with fairly large CSP headers.

See these articles for more implementation details,

https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/ https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-add-security-headers.html Hope this helps.

answered a year ago
0

Hi, Above suggestion is for implementing 'CloudFront Function' , not lambda@edge. CloudFront function is as simple as modifying your distribution. There are two types of edge functions available with CloudFront -

  1. Lambda@edge
  2. CloudFront Function

thanks

answered a year ago
0

I had the same issue and opened a support ticket and had my limit raised you should be able to as well if you have support

FScalzo
answered 7 months ago
  • ah ! that's a good point, we could have done that, but eventually we refactored our CSPs to be under 1784 chars.

0

Hey there!

Thanks for your answer!

Yeah, that is an option on the table, and thanks for confirming it can handle large headers.

But I wish I only got to customize an existing Cloudfront distribution, rather than provisioning a lambda at edge in addition to it.

When you think about it, wasn't the November 2nd announcement specifically to allow users NOT TO rely on lambda at edge anymore for headers?

answered a year ago
0

Hello @AWS-User-0834290! So I set up CloudFront Functions, using Terraform, for reference, that looked like this:

  default_cache_behavior {
    [...]
    function_association {
      event_type   = "viewer-response"
      function_arn = aws_cloudfront_function.test.arn
    }

  }
  resource "aws_cloudfront_function" "test" {
    name    = "test"
    runtime = "cloudfront-js-1.0"
    comment = "my function"
    publish = true
    code    = file("${path.module}/headers.js")
 }
function handler(event) {
    var response = event.response;
    var headers = response.headers;

    // Set HTTP security headers
    // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation
    headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'};
    headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'"};
    headers['x-content-type-options'] = { value: 'nosniff'};
    headers['x-frame-options'] = {value: 'DENY'};
    headers['x-xss-protection'] = {value: '1; mode=block'};
    headers['referrer-policy'] = {value: 'same-origin'};

    // Return the response to viewers
    return response;
}

and it worked... EXCEPT for error pages !

Error pages would not send response headers from my function; unfortunately, I'm relying on them a lot since I'm serving a Single Page Application where I redirect 404s to index.html with 200.

So I'm back to square one, this time I just intend on reverting back to Response Headers Policy and review my CSP header, since I actually believe I can slim them down to 1784 characters or less without affecting security.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions