Skip to content

Security headers

The CloudFront Hosting Toolkit implements a comprehensive set of security headers to enhance the protection of your website against common web vulnerabilities.

Key Features

  • Custom Response Headers Policy: Applies a set of security headers to all responses from CloudFront.
  • Comprehensive Protection: Addresses multiple security concerns with a single configuration.

Implemented Security Headers

The following security headers are implemented through a custom Response Headers Policy:

  1. Content-Type Options:

    • Prevents MIME type sniffing.
    • Helps protect against MIME confusion attacks.
  2. Frame Options:

    • Set to DENY.
    • Prevents your content from being embedded in iframes on other domains.
    • Protects against clickjacking attacks.
  3. Strict Transport Security (HSTS):

    • Enforces HTTPS connections.
    • Includes subdomains.
    • Set for a duration of one year (31,536,000 seconds).
    • Enhances protection against protocol downgrade attacks and cookie hijacking.
  4. XSS Protection:

    • Enables the browser’s built-in XSS protection.
    • Set to block mode.
    • Provides an additional layer of protection against Cross-Site Scripting (XSS) attacks.
  5. Referrer Policy:

    • Set to STRICT_ORIGIN_WHEN_CROSS_ORIGIN.
    • Controls the Referer header sent by the browser.
    • Balances security and functionality by sending the origin, path, and query string when performing a same-origin request, and only the origin when performing a cross-origin request.

Benefits

  • Enhanced Security Posture: Protects against various common web vulnerabilities.
  • Browser Compatibility: Implemented headers are widely supported by modern browsers.
  • Centralized Configuration: Applied at the CloudFront level, ensuring consistent security across all resources.
  • Compliance Support: Helps meet security requirements for various compliance standards.

These security headers work in conjunction with other security features of the CloudFront Hosting Toolkit to provide a robust defense for your web application.