如何将 CSP 标头添加到 AWS CDK 设置?

问题描述 投票:0回答:1

我目前正在开发一个项目,将前端应用程序部署到 S3 存储桶,然后使用 CloudFront 提供服务。我正在使用 AWS CDK 进行设置。这是我当前的配置:

new BucketDeployment(this, `deployment-${context.environment}`, {
  sources: [Source.asset("../Frontend")],
  destinationBucket: frontBucket,
});

const cfDist = new cloudfront.CloudFrontWebDistribution(this, `${context.appName}-dist-${context.environment}`, {
  originConfigs: [
    {
      s3OriginSource: {
        s3BucketSource: frontBucket,
      },
      behaviors: [
        {
          isDefaultBehavior: true,
          defaultTtl: cdk.Duration.seconds(1)
        },
      ]
    },
  ],
  viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  viewerCertificate: cloudfront.ViewerCertificate.fromAcmCertificate(cert, {
    aliases: [recordName],
    sslMethod: cloudfront.SSLMethod.SNI,
    securityPolicy: cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021
  }),
});

const cfnDistribution = cfDist.node.defaultChild as cloudfront.CfnDistribution;
cfnDistribution.addPropertyOverride(
  'DistributionConfig.DefaultCacheBehavior.ResponseHeadersPolicyId',
  cloudfront.ResponseHeadersPolicy.SECURITY_HEADERS.responseHeadersPolicyId
);

现在我想将 CSP 标头添加到我的设置中。我不确定在哪里以及如何将其添加到我当前的设置中。谁能指导我如何将 CSP 标头添加到我当前的设置中?任何帮助将不胜感激。

谢谢你。

amazon-s3 amazon-cloudfront aws-cdk content-security-policy
1个回答
0
投票

请参阅 AWS CDK 文档中的使用响应标头策略自定义响应标头

// Creating a custom response headers policy -- all parameters optional
const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
  responseHeadersPolicyName: 'MyPolicy',
  comment: 'A default policy',
  corsBehavior: {
    accessControlAllowCredentials: false,
    accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
    accessControlAllowMethods: ['GET', 'POST'],
    accessControlAllowOrigins: ['*'],
    accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
    accessControlMaxAge: Duration.seconds(600),
    originOverride: true,
  },
  customHeadersBehavior: {
    customHeaders: [
      { header: 'X-Amz-Date', value: 'some-value', override: true },
      { header: 'X-Amz-Security-Token', value: 'some-value', override: false },
    ],
  },
  securityHeadersBehavior: {
    contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
    contentTypeOptions: { override: true },
    frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
    referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
    strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
    xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
  },
  removeHeaders: ['Server'],
  serverTimingSamplingRate: 50,
});
new cloudfront.Distribution(this, 'myDistCustomPolicy', {
  defaultBehavior: {
    origin: bucketOrigin,
    responseHeadersPolicy: myResponseHeadersPolicy,
  },
});
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.