interface ResponseSecurityHeadersBehavior
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.CloudFront.ResponseSecurityHeadersBehavior |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awscloudfront#ResponseSecurityHeadersBehavior |
 Java | software.amazon.awscdk.services.cloudfront.ResponseSecurityHeadersBehavior |
 Python | aws_cdk.aws_cloudfront.ResponseSecurityHeadersBehavior |
 TypeScript (source) | aws-cdk-lib » aws_cloudfront » ResponseSecurityHeadersBehavior |
Configuration for a set of security-related HTTP response headers.
CloudFront adds these headers to HTTP responses that it sends for requests that match a cache behavior associated with this response headers policy.
Example
// Using an existing managed response headers policy
declare const bucketOrigin: origins.S3Origin;
new cloudfront.Distribution(this, 'myDistManagedPolicy', {
defaultBehavior: {
origin: bucketOrigin,
responseHeadersPolicy: cloudfront.ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS,
},
});
// Creating a custom response headers policy -- all parameters optional
const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
responseHeadersPolicyName: 'MyPolicy',
comment: 'A default policy',
corsBehavior: {
accessControlAllowCredentials: false,
accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
accessControlAllowMethods: ['GET', 'POST'],
accessControlAllowOrigins: ['*'],
accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
accessControlMaxAge: Duration.seconds(600),
originOverride: true,
},
customHeadersBehavior: {
customHeaders: [
{ header: 'X-Amz-Date', value: 'some-value', override: true },
{ header: 'X-Amz-Security-Token', value: 'some-value', override: false },
],
},
securityHeadersBehavior: {
contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
contentTypeOptions: { override: true },
frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
xssProtection: { protection: true, modeBlock: false, reportUri: 'https://example.com/csp-report', override: true },
},
removeHeaders: ['Server'],
serverTimingSamplingRate: 50,
});
new cloudfront.Distribution(this, 'myDistCustomPolicy', {
defaultBehavior: {
origin: bucketOrigin,
responseHeadersPolicy: myResponseHeadersPolicy,
},
});
Properties
| Name | Type | Description |
|---|---|---|
| content | Response | The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. |
| content | Response | Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff. |
| frame | Response | Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value. |
| referrer | Response | Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value. |
| strict | Response | Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value. |
| xss | Response | Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value. |
contentSecurityPolicy?
Type:
Response
(optional, default: no content security policy)
The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header.
contentTypeOptions?
Type:
Response
(optional, default: no content type options)
Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff.
frameOptions?
Type:
Response
(optional, default: no frame options)
Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value.
referrerPolicy?
Type:
Response
(optional, default: no referrer policy)
Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value.
strictTransportSecurity?
Type:
Response
(optional, default: no strict transport security)
Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value.
xssProtection?
Type:
Response
(optional, default: no xss protection)
Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value.