Security headers
The CloudFront Hosting Toolkit implements a comprehensive set of security headers to enhance the protection of your website against common web vulnerabilities.
Key Features
- Custom Response Headers Policy: Applies a set of security headers to all responses from CloudFront.
- Comprehensive Protection: Addresses multiple security concerns with a single configuration.
Implemented Security Headers
The following security headers are implemented through a custom Response Headers Policy:
-
Content-Type Options:
- Prevents MIME type sniffing.
- Helps protect against MIME confusion attacks.
-
Frame Options:
- Set to DENY.
- Prevents your content from being embedded in iframes on other domains.
- Protects against clickjacking attacks.
-
Strict Transport Security (HSTS):
- Enforces HTTPS connections.
- Includes subdomains.
- Set for a duration of one year (31,536,000 seconds).
- Enhances protection against protocol downgrade attacks and cookie hijacking.
-
XSS Protection:
- Enables the browserβs built-in XSS protection.
- Set to block mode.
- Provides an additional layer of protection against Cross-Site Scripting (XSS) attacks.
-
Referrer Policy:
- Set to STRICT_ORIGIN_WHEN_CROSS_ORIGIN.
- Controls the Referer header sent by the browser.
- Balances security and functionality by sending the origin, path, and query string when performing a same-origin request, and only the origin when performing a cross-origin request.
Benefits
- Enhanced Security Posture: Protects against various common web vulnerabilities.
- Browser Compatibility: Implemented headers are widely supported by modern browsers.
- Centralized Configuration: Applied at the CloudFront level, ensuring consistent security across all resources.
- Compliance Support: Helps meet security requirements for various compliance standards.
These security headers work in conjunction with other security features of the CloudFront Hosting Toolkit to provide a robust defense for your web application.