Skip to content

ResponseHeadersPolicy

Source: src/AWS/CloudFront/ResponseHeadersPolicy.ts

A CloudFront response headers policy.

Response headers policies add or remove headers in viewer responses, including CORS, standard security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, etc.), Server-Timing, custom headers and explicit header removal. They are referenced by ID on a Distribution’s default behavior or per-path cache behaviors.

Creating Response Headers Policies

Section titled “Creating Response Headers Policies”
const responseHeadersPolicy = yield* ResponseHeadersPolicy("AppResponseHeaders", {
  comment: "Default app security + CORS",
  corsConfig: {
    AccessControlAllowOrigins: { Quantity: 1, Items: ["https://app.example.com"] },
    AccessControlAllowMethods: { Quantity: 2, Items: ["GET", "OPTIONS"] },
    AccessControlAllowHeaders: { Quantity: 1, Items: ["Authorization"] },
    AccessControlAllowCredentials: false,
    OriginOverride: true,
  },
  securityHeadersConfig: {
    StrictTransportSecurity: {
      AccessControlMaxAgeSec: 31536000,
      IncludeSubdomains: true,
      Preload: true,
      Override: true,
    },
    ContentTypeOptions: { Override: true },
    FrameOptions: { FrameOption: "DENY", Override: true },
    ReferrerPolicy: { ReferrerPolicy: "no-referrer", Override: true },
  },
});