我目前正在开发一个项目,将前端应用程序部署到 S3 存储桶,然后使用 CloudFront 提供服务。我正在使用 AWS CDK 进行设置。这是我当前的配置:
new BucketDeployment(this, `deployment-${context.environment}`, {
sources: [Source.asset("../Frontend")],
destinationBucket: frontBucket,
});
const cfDist = new cloudfront.CloudFrontWebDistribution(this, `${context.appName}-dist-${context.environment}`, {
originConfigs: [
{
s3OriginSource: {
s3BucketSource: frontBucket,
},
behaviors: [
{
isDefaultBehavior: true,
defaultTtl: cdk.Duration.seconds(1)
},
]
},
],
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
viewerCertificate: cloudfront.ViewerCertificate.fromAcmCertificate(cert, {
aliases: [recordName],
sslMethod: cloudfront.SSLMethod.SNI,
securityPolicy: cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021
}),
});
const cfnDistribution = cfDist.node.defaultChild as cloudfront.CfnDistribution;
cfnDistribution.addPropertyOverride(
'DistributionConfig.DefaultCacheBehavior.ResponseHeadersPolicyId',
cloudfront.ResponseHeadersPolicy.SECURITY_HEADERS.responseHeadersPolicyId
);
现在我想将 CSP 标头添加到我的设置中。我不确定在哪里以及如何将其添加到我当前的设置中。谁能指导我如何将 CSP 标头添加到我当前的设置中?任何帮助将不胜感激。
谢谢你。
请参阅 AWS CDK 文档中的使用响应标头策略自定义响应标头:
// Creating a custom response headers policy -- all parameters optional
const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
responseHeadersPolicyName: 'MyPolicy',
comment: 'A default policy',
corsBehavior: {
accessControlAllowCredentials: false,
accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
accessControlAllowMethods: ['GET', 'POST'],
accessControlAllowOrigins: ['*'],
accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
accessControlMaxAge: Duration.seconds(600),
originOverride: true,
},
customHeadersBehavior: {
customHeaders: [
{ header: 'X-Amz-Date', value: 'some-value', override: true },
{ header: 'X-Amz-Security-Token', value: 'some-value', override: false },
],
},
securityHeadersBehavior: {
contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
contentTypeOptions: { override: true },
frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
},
removeHeaders: ['Server'],
serverTimingSamplingRate: 50,
});
new cloudfront.Distribution(this, 'myDistCustomPolicy', {
defaultBehavior: {
origin: bucketOrigin,
responseHeadersPolicy: myResponseHeadersPolicy,
},
});