What fuck-wittery is this? Why isn't it secure by default? https://t.co/2BHXkaoBRW #security— Kai Hendry (@kaihendry) October 5, 2021
Dubious sites like “securityheaders.com” will give you a big fat F without a whole bunch of headers.
Assuming API endpoint of native app
My favourite thing is when penetration testers or security scanners complain about missing headers like CSP on backend API endpoints that are never called a browser.
- Strict-Transport-Security - not relevant; https hard coded
- Content-Security-Policy - not relevant, client not a browser
- X-Frame-Options - not relevant, client not a browser
- X-Content-Type-Options - not relevant, client not a browser
- Referrer-Policy - not relevant, client not a browser
- Permissions-Policy - not relevant, client not a browser
Adding headers on AWS
tl;dr a PITA – from AWS Support
Custom response headers is not a native feature built into CloudFront at the time writing, which means that you need to rely on a feature or service that allows arbitrary modifications to responses. Currently, this is only allowed by Lambda@edge or CloudFront functions.
There are differences in CloudFront functions’ event structure and the accepted function signature, please review the documentation links and examples for more information. Pricing information is available on the main pricing page.