ResponseSecurityHeadersBehavior

class aws_cdk.aws_cloudfront.ResponseSecurityHeadersBehavior(*, content_security_policy=None, content_type_options=None, frame_options=None, referrer_policy=None, strict_transport_security=None, xss_protection=None)

Bases: object

Configuration for a set of security-related HTTP response headers.

CloudFront adds these headers to HTTP responses that it sends for requests that match a cache behavior associated with this response headers policy.

Parameters:
  • content_security_policy (Union[ResponseHeadersContentSecurityPolicy, Dict[str, Any], None]) – The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. Default: - no content security policy

  • content_type_options (Union[ResponseHeadersContentTypeOptions, Dict[str, Any], None]) – Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff. Default: - no content type options

  • frame_options (Union[ResponseHeadersFrameOptions, Dict[str, Any], None]) – Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value. Default: - no frame options

  • referrer_policy (Union[ResponseHeadersReferrerPolicy, Dict[str, Any], None]) – Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value. Default: - no referrer policy

  • strict_transport_security (Union[ResponseHeadersStrictTransportSecurity, Dict[str, Any], None]) – Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value. Default: - no strict transport security

  • xss_protection (Union[ResponseHeadersXSSProtection, Dict[str, Any], None]) – Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value. Default: - no xss protection

ExampleMetadata:

infused

Example:

# Using an existing managed response headers policy
# bucket_origin: origins.S3Origin

cloudfront.Distribution(self, "myDistManagedPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        response_headers_policy=cloudfront.ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS
    )
)

# Creating a custom response headers policy -- all parameters optional
my_response_headers_policy = cloudfront.ResponseHeadersPolicy(self, "ResponseHeadersPolicy",
    response_headers_policy_name="MyPolicy",
    comment="A default policy",
    cors_behavior=cloudfront.ResponseHeadersCorsBehavior(
        access_control_allow_credentials=False,
        access_control_allow_headers=["X-Custom-Header-1", "X-Custom-Header-2"],
        access_control_allow_methods=["GET", "POST"],
        access_control_allow_origins=["*"],
        access_control_expose_headers=["X-Custom-Header-1", "X-Custom-Header-2"],
        access_control_max_age=Duration.seconds(600),
        origin_override=True
    ),
    custom_headers_behavior=cloudfront.ResponseCustomHeadersBehavior(
        custom_headers=[cloudfront.ResponseCustomHeader(header="X-Amz-Date", value="some-value", override=True), cloudfront.ResponseCustomHeader(header="X-Amz-Security-Token", value="some-value", override=False)
        ]
    ),
    security_headers_behavior=cloudfront.ResponseSecurityHeadersBehavior(
        content_security_policy=cloudfront.ResponseHeadersContentSecurityPolicy(content_security_policy="default-src https:;", override=True),
        content_type_options=cloudfront.ResponseHeadersContentTypeOptions(override=True),
        frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
        referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
        strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
        xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
    )
)
cloudfront.Distribution(self, "myDistCustomPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        response_headers_policy=my_response_headers_policy
    )
)

Attributes

content_security_policy

The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header.

Default:
  • no content security policy

content_type_options

Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff.

Default:
  • no content type options

frame_options

Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value.

Default:
  • no frame options

referrer_policy

Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value.

Default:
  • no referrer policy

strict_transport_security

Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value.

Default:
  • no strict transport security

xss_protection

Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value.

Default:
  • no xss protection