Security Headers

Bug bounty scams

Published: Tuesday, Oct 5, 2021 Last modified: Saturday, Oct 16, 2021

failed at pollution

What fuck-wittery is this? Why isn't it secure by default? #security

— Kai Hendry (@kaihendry) October 5, 2021

Dubious sites like “” will give you a big fat F without a whole bunch of headers.

Plot twist

Assuming API endpoint of native app

My favourite thing is when penetration testers or security scanners complain about missing headers like CSP on backend API endpoints that are never called a browser.

Adding headers on AWS

tl;dr a PITA – from AWS Support

Addition of custom response headers is not a native feature built into CloudFront at this time, which means that you need to rely on a feature or service that allows arbitrary modifications to responses. Currently, this is only allowed by Lambda@edge or CloudFront functions.

The latter is a recently introduced alternative to Lambda@edge with lower pricing that allows basic transformations to your requests or responses using Javascript, and they can only be triggered at viewer requests and responses. Therefore, if Lambda@edge pricing is your concern, you may write and attach a CloudFront function triggered at viewer response to achieve this use case.

There are differences in CloudFront functions' event structure[1] and the accepted function signature[2], please review the documentation links and examples[3] for more information. Pricing information is available on the main pricing page[4].