feat: security headers by default (#186)

* feat: security headers by default * chore: self mutation Signed-off-by: github-actions <[email protected]> --------- Signed-off-by: github-actions <[email protected]> Co-authored-by: github-actions <[email protected]>
jetbridge · Dec 15, 2023 · a8b5c4a · a8b5c4a
1 parent 988dac7
commit a8b5c4a
Show file tree

Hide file tree

Showing 10 changed files with 1,062 additions and 136 deletions.
diff --git a/API.md b/API.md
diff --git a/src/NextjsDistribution.ts b/src/NextjsDistribution.ts
@@ -162,8 +162,35 @@ export class NextjsDistribution extends Construct {
             override: false,
             // by default tell browser to cache static files for this long
             // this is separate from the origin cache policy
+            // copied from: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#caching_static_assets_with_cache_busting
             value: `public,max-age=${Duration.days(30).toSeconds()},immutable`,
           },
+          // below security headers copied from: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html#managed-response-headers-policies-security
+          {
+            header: 'referrer-policy',
+            override: false,
+            value: 'strict-origin-when-cross-origin',
+          },
+          {
+            header: 'strict-transport-security',
+            override: false,
+            value: 'max-age=31536000',
+          },
+          {
+            header: 'x-content-type-options',
+            override: true,
+            value: 'nosniff',
+          },
+          {
+            header: 'x-frame-options',
+            override: false,
+            value: 'SAMEORIGIN',
+          },
+          {
+            header: 'x-xss-protection',
+            override: false,
+            value: '1; mode=block',
+          },
         ],
       },
     });
@@ -248,6 +275,7 @@ export class NextjsDistribution extends Construct {
       cachePolicy,
       edgeLambdas: this.edgeLambdas.length ? this.edgeLambdas : undefined,
       functionAssociations: this.createCloudFrontFnAssociations(),
+      responseHeadersPolicy: ResponseHeadersPolicy.SECURITY_HEADERS,
       ...this.props.overrides?.serverBehaviorOptions,
     };
   }
@@ -295,6 +323,7 @@ export class NextjsDistribution extends Construct {
       cachePolicy,
       originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
       edgeLambdas: this.edgeLambdas,
+      responseHeadersPolicy: ResponseHeadersPolicy.SECURITY_HEADERS,
       ...this.props.overrides?.imageBehaviorOptions,
     };
   }

diff --git a/src/generated-structs/OptionalNextjsBucketDeploymentProps.ts b/src/generated-structs/OptionalNextjsBucketDeploymentProps.ts
diff --git a/src/generated-structs/OptionalNextjsDistributionProps.ts b/src/generated-structs/OptionalNextjsDistributionProps.ts
diff --git a/src/generated-structs/OptionalNextjsDomainProps.ts b/src/generated-structs/OptionalNextjsDomainProps.ts
diff --git a/src/generated-structs/OptionalNextjsImageProps.ts b/src/generated-structs/OptionalNextjsImageProps.ts
diff --git a/src/generated-structs/OptionalNextjsInvalidationProps.ts b/src/generated-structs/OptionalNextjsInvalidationProps.ts
diff --git a/src/generated-structs/OptionalNextjsRevalidationProps.ts b/src/generated-structs/OptionalNextjsRevalidationProps.ts
diff --git a/src/generated-structs/OptionalNextjsServerProps.ts b/src/generated-structs/OptionalNextjsServerProps.ts
diff --git a/src/generated-structs/OptionalNextjsStaticAssetsProps.ts b/src/generated-structs/OptionalNextjsStaticAssetsProps.ts