Set security headers on CFN responses

cloudformation/template.yaml

@@ -1714,6 +1714,36 @@ Resources:
       DevelopmentMode: !Ref DevelopmentMode
       FeedbackEnabled: !If [ EnableFeedbackSubmission, 'true', 'false' ]
 
+  LambdaEdgeFunctionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: "/"
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          -
+            Sid: "AllowLambdaServiceToAssumeRole"
+            Effect: "Allow"
+            Action: 
+              - "sts:AssumeRole"
+            Principal:
+              Service: 
+                - "lambda.amazonaws.com"
+                - "edgelambda.amazonaws.com"
+
+  CloudFrontSecurityHeadersLambda:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: ../lambdas/cloudfront-security
+      Handler: index.handler
+      MemorySize: 128
+      Role: !GetAtt LambdaEdgeFunctionRole.Arn
+      Runtime: nodejs12.x
+      Timeout: 1
+      AutoPublishAlias: Live
+
   CloudFrontOriginAccessIdentity:
     Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
     Condition: 'NotDevelopmentMode'
@@ -1738,6 +1768,10 @@ Resources:
             QueryString: true
           TargetOriginId: 'dev-portal-site-s3-bucket'
           ViewerProtocolPolicy: redirect-to-https
+          LambdaFunctionAssociations:
+            -
+              EventType: origin-response
+              LambdaFunctionARN: !Ref CloudFrontSecurityHeadersLambda.Version
         DefaultRootObject: index.html
         Enabled: true
         Comment: !Sub '${AWS::StackName} distribution'
@@ -1767,6 +1801,10 @@ Resources:
             QueryString: true
           TargetOriginId: 'dev-portal-site-s3-bucket'
           ViewerProtocolPolicy: redirect-to-https
+          LambdaFunctionAssociations:
+            -
+              EventType: origin-response
+              LambdaFunctionARN: !Ref CloudFrontSecurityHeadersLambda.Version
         DefaultRootObject: index.html
         Enabled: true
         Comment: !Sub '${AWS::StackName} distribution'

lambdas/cloudfront-security/index.js

@@ -0,0 +1,29 @@
+'use strict'
+
+const headersToAdd = {
+  // Don't include subdomains - the user might have a subdomain hosted on something else and not
+  // support it.
+  'strict-transport-security': [{ value: 'max-age=63072000' }],
+  'content-security-policy': [{
+    value: [
+      "default-src 'none'",
+      'connect-src *',
+      "prefetch-src 'self'",
+      "font-src 'self' data: fonts.gstatic.com",
+      "img-src 'self'",
+      "script-src 'self' 'unsafe-inline'",
+      "style-src 'self' fonts.googleapis.com"
+    ].join(';')
+  }],
+  'x-content-type-options': [{ value: 'nosniff' }],
+  'x-frame-options': [{ value: 'DENY' }],
+  'x-xss-protection': [{ value: '1; mode=block' }],
+  'referrer-policy': [{ value: 'same-origin' }]
+}
+
+exports.handler = (event, context, callback) => {
+  const response = event.Records[0].cf.response
+  console.log('Response headers:', response.headers)
+  Object.assign(response.headers, headersToAdd)
+  callback(null, response)
+}

lambdas/static-asset-uploader/index.js

@@ -170,7 +170,8 @@ class State {
     const params = {
       Bucket: bucketName,
       Key: 'config.js',
-      Body: Buffer.from('window.config=' + JSON.stringify(configObject))
+      Body: Buffer.from('window.config=' + JSON.stringify(configObject)),
+      ContentType: 'application/javascript'
     }
     const options = {}