Content Security Policy with S3 + CloudFront

'use strict';
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response;
const headers = response.headers;

headers['strict-transport-security'] = [{
key: 'Strict-Transport-Security',
value: "max-age=31536000; includeSubdomains; preload"
headers['content-security-policy'] = [{
key: 'Content-Security-Policy',
value: "default-src 'none'; connect-src 'self'; font-src 'self' data:; frame-src 'self'; img-src 'self' data: https:; media-src 'self'; script-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline'; object-src 'none'"
headers['x-content-type-options'] = [{
key: 'X-Content-Type-Options',
value: "nosniff"

headers['x-frame-options'] = [{
key: 'X-Frame-Options',
value: "DENY"

headers['x-xss-protection'] = [{
key: 'X-XSS-Protection',
value: "1; mode=block"
headers['referrer-policy'] = [{
key: 'Referrer-Policy',
value: "same-origin"

callback(null, response);

Hasan Tayyar BEŞİK

Written by

DevOps at Frontier Car Group, Former Devops @bitwala #nodejs #Berlin — This blog is mostly techie and multilingual. Be aware of possible and multiple typos!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade