Strict transport security header on appsync responses

Question

What's the best way to have strict transport security header added to appsync responses?

I have seen recommendations around setting up cloudfront in front of appsync and setting the headers in cloudfront.

Answer

Hi,

I do see that there are similar workarounds to the workaround which you have mentioned. However, there is a feature that was just recently released by AppSync which adds support for custom response headers. Please refer to this [page](https://aws.amazon.com/about-aws/whats-new/2022/02/aws-appsync-support-custom-response-headers/) for the announcement of the feature.

This adds a new resolver utility $util.http.addResponseHeaders() to configure additional headers in the response for a GraphQL API operation.

The other workarounds will add additional workload/steps so it is recommended to use this utility to add headers in the appsync response.

Strict transport security header on appsync responses

相關內容