Ends in
00
hrs
00
mins
00
secs
SHOP NOW

⏳48 Hour Extension Anniversary Sale - Get 25% OFF ALL Reviewers plus eBooks as LOW as 2.99 USD only!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional Setting security headers with CloudFront Request and Response Behaviors

  • Setting security headers with CloudFront Request and Response Behaviors

     Neil-TutorialsDojo updated 1 month, 2 weeks ago 2 Members · 4 Posts
    AWS Certified DevOps Engineer Professional

  • Viktorrr

    Member
    February 6, 2025 at 7:28 am

    Hello,

    In the 15th question of the second practice test “Category: DOP – Configuration Management and Infrastructure as Code” stated the following:

    The option that says: Host the application on an S3 bucket configured for website hosting. Set up a CloudFront web distribution and set the S3 bucket as the origin. Set a custom Request and Response Behavior in CloudFront that automatically adds the required security headers in the HTTP response is incorrect because configuring a custom Request and Response Behavior in CloudFront is not enough to automatically add the required security headers to the HTTP response. You have to use Lambda@Edge to add the headers to satisfy the requirement of this scenario.

    At the same time, AWS documentation states that those 3 security headers could be set via response headers policies attached to cache behavior: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/understanding-response-headers-policies.html#understanding-response-headers-policies-security

    Could you please elaborate if the question is outdated or if I misinterpreted the question?

  • Neil-TutorialsDojo

    Member
    February 6, 2025 at 11:01 am

    Hello Viktorrr,

    Good day!

    Thank you for posting here. Both approaches—using Lambda@Edge and CloudFront custom headers—can effectively add security headers for a static website, but they come with trade-offs. CloudFront custom headers are simpler, cost-effective, and easy to set up, making them ideal for general static sites. However, security must be more dynamic and robust for an online salary calculator handling sensitive financial data. Lambda@Edge allows real-time header modifications, adding flexibility to enforce stricter security measures based on request attributes. It also enhances protection against XSS, clickjacking, and other web-based threats, making it a better choice for applications requiring stronger security controls. Additionally, it enables better auditability by allowing custom logging and analysis of HTTP requests. While it introduces slight latency and additional costs, its ability to dynamically manage security headers and adapt to evolving threats makes it the preferred solution.

    I hope this helps.

    Regards,

    Neil @ Tutorials Dojo

    • Viktorrr

      Member
      February 6, 2025 at 10:24 pm

      Hello Neil-TutorialsDojo,

      Thanks for the answer, but in this case, the explanation “custom Request and Response Behavior in CloudFront is not enough to automatically add the required security headers to the HTTP response” is misleading. We can use Cache Behavior and AWS provides documentation on how to do it.

      Lambda@Edge might be a better solution, although the only hint that advanced security is more important than implementation efforts, costs, or latency is “sensitive financial data”.

      Regards,
      Viktorrr

      • Neil-TutorialsDojo

        Member
        February 10, 2025 at 10:27 am

        Hello Viktorrr,

        I understand your concern. We will review and update this item as soon as possible to ensure clarity and alignment with the latest AWS documentation.

        We appreciate your patience and contribution to improving the quality of our practice tests.

        Best regards,

        Neil @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content