This repository was archived by the owner on Sep 26, 2021. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 71
/
Copy pathindex.js
43 lines (39 loc) · 1.44 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
/*
* AWS Lambda@Edge function to add common security headers for CloudFront.
* https://github.com/blueimp/aws-lambda
*
* Copyright 2017, Sebastian Tschan
* https://blueimp.net
*
* Licensed under the MIT license:
* https://opensource.org/licenses/MIT
*/
'use strict'
const headers = {
// Instruct browsers to only interact with the site via HTTPS:
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
// Require HTTPS for resource loading, allow inline code, disable plugins:
'Content-Security-Policy':
"default-src https: 'unsafe-inline'; " +
'img-src https: data: blob:; ' +
"object-src 'none'; " +
"frame-ancestors 'self';",
// Only allow frame embedding on the same origin:
'X-Frame-Options': 'SAMEORIGIN',
// Only transmit the origin cross-domain and no referer without HTTPS:
'Referrer-Policy': 'strict-origin-when-cross-origin',
// Instruct browsers to strictly follow the Content-Type header:
'X-Content-Type-Options': 'nosniff',
// Enable browser XSS protections:
'X-XSS-Protection': '1; mode=block'
}
// Transform the headers to CloudFronts key value array format:
const transformedHeaders = {}
Object.keys(headers).forEach(key => {
transformedHeaders[key.toLowerCase()] = [{ key, value: headers[key] }]
})
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response
Object.assign(response.headers, transformedHeaders)
callback(null, response)
}