- 最新
- 最多得票
- 最多評論
It depends on your requirements and whether you expect the headers to be sent as part of the client request or need to add the headers before the request hits the API Gateway.
If you need to block client requests if some headers are missing, you can associate a WAF ACL with the API Gateway and define rules to block requests without mandatory headers
Look at these two for guidance
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html
https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-http-requests-no-user-agent/
If the requirement is that the headers need to be added to the request before the request reaches the API Gateway even if the client did not send the headers, you can do so using Lambda@Edge with a Cloudfront distribution in front of your API Gateway.
Look at these for guidance
https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/ (this example shows response headers but you can use similar concepts to the request headers with some changes)
Some examples of Lambda@Edge functions - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html
Lambda@Edge functions with CloudFront work fine for my scenario. I have added up one additional thing that may more the easiest way to remove security headers vulnerabilities. I have created and deployed the Express app to Lambda
By default, Express.js sends the X-Powered-By response header banner. This can be disabled using the app.disable() method:
app.disable('x-powered-by')
and also apply headers on the express app
app.use(function(req, res, next) {
res.header('Strict-Transport-Security', `max-age=63072000`);
res.header('Access-Control-Allow-Origin', `null`);
res.header('Referrer-Policy', `no-referrer`);
res.header('Permissions-Policy', `microphone 'none'; geolocation 'none'`);
res.header('x-frame-options', `DENY`);
res.header('Content-type', `application/json; charset=UTF-8`);
res.header('Cache-Control', `no-store`);
res.header('X-Content-Type-Options', `nosniff`);
return next();
});
Good day - I was curious - Why Lambda@Edge and not CloudFront Functions to do this? Lambda@Edge seems extremely "heavy" when CF Functions can manipulate headers as well?
相關內容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 10 個月前
- AWS 官方已更新 1 年前
Good day - I was curious - Why Lambda@Edge and not CloudFront Functions to do this? Lambda@Edge seems extremely "heavy" when CF Functions can manipulate headers as well?