Security score
—
Headers present
—
Headers missing
—
Response Header Audit
Probing…Probing mission-control.html via CloudFront to detect HTTP security response headers. Results reflect what a browser receives.
Probing CloudFront headers…
Target: https://d1rsfp2c29g6x.cloudfront.net/mission-control.html · Method: HEAD request via CORS probe
Remediation Steps
CloudFront Response Headers PolicyAdd a CloudFront Response Headers Policy to inject security headers on all responses. Apply to distribution E3HQHA5N284LTS.
1. Create Response Headers Policy (AWS CLI)
aws cloudfront create-response-headers-policy \
--response-headers-policy-config '{
"Name": "SpaceDuck-Security-Headers",
"SecurityHeadersConfig": {
"StrictTransportSecurity": {
"Override": true,
"AccessControlMaxAgeSec": 31536000,
"IncludeSubdomains": true,
"Preload": true
},
"ContentTypeOptions": { "Override": true },
"FrameOptions": { "FrameOption": "DENY", "Override": true },
"XSSProtection": { "Protection": true, "ModeBlock": true, "Override": true },
"ReferrerPolicy": {
"ReferrerPolicy": "strict-origin-when-cross-origin",
"Override": true
},
"ContentSecurityPolicy": {
"ContentSecurityPolicy": "default-src '\''self'\''; script-src '\''self'\'' https://fonts.googleapis.com '\''unsafe-inline'\''; style-src '\''self'\'' https://fonts.googleapis.com https://fonts.gstatic.com '\''unsafe-inline'\''; font-src https://fonts.gstatic.com; img-src '\''self'\'' data: https:; connect-src '\''self'\'' https://czt9d57q83.execute-api.us-east-1.amazonaws.com;",
"Override": false
}
}
}'
2. Attach policy to CloudFront distribution default cache behaviour
aws cloudfront update-distribution \ --id E3HQHA5N284LTS \ --distribution-config file://distribution-config-updated.json # Set ResponseHeadersPolicyId in DefaultCacheBehavior to the policy ID from step 1
3. Exact recommended header values
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=() Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; font-src https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://czt9d57q83.execute-api.us-east-1.amazonaws.com;
4. Invalidate CloudFront after applying policy
aws cloudfront create-invalidation \ --distribution-id E3HQHA5N284LTS \ --paths "/*"