How do I add security-related headers to API Gateway responses?
To enhance the security of your API Gateway, adding specific headers to the responses is a crucial step. This can help in preventing a variety of attacks, including cross-site scripting (XSS) and clickjacking. Below is an example of how to achieve this by configuring a method response and integration response for your API Gateway in AWS.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.apigateway.RestApi("example", {
name: "example-api",
description: "Example API Gateway with security headers",
});
const exampleResource = new aws.apigateway.Resource("example_resource", {
restApi: example.id,
parentId: example.rootResourceId,
pathPart: "example",
});
const exampleMethod = new aws.apigateway.Method("example_method", {
restApi: example.id,
resourceId: exampleResource.id,
httpMethod: "GET",
authorization: "NONE",
});
const exampleIntegration = new aws.apigateway.Integration("example_integration", {
restApi: example.id,
resourceId: exampleResource.id,
httpMethod: exampleMethod.httpMethod,
type: "MOCK",
requestTemplates: {
"application/json": "{"statusCode": 200}",
},
});
const exampleResponse = new aws.apigateway.MethodResponse("example_response", {
restApi: example.id,
resourceId: exampleResource.id,
httpMethod: exampleMethod.httpMethod,
statusCode: "200",
responseModels: {
"application/json": "Empty",
},
});
const exampleIntegrationResponse = new aws.apigateway.IntegrationResponse("example_integration_response", {
restApi: example.id,
resourceId: exampleResource.id,
httpMethod: exampleMethod.httpMethod,
statusCode: exampleResponse.statusCode,
responseParameters: {
"method.response.header.Strict-Transport-Security": "'max-age=63072000; includeSubdomains; preload'",
"method.response.header.Content-Security-Policy": "'default-src 'self'; script-src 'self' https://apis.google.com'",
"method.response.header.X-Content-Type-Options": "'nosniff'",
"method.response.header.X-Frame-Options": "'DENY'",
"method.response.header.X-XSS-Protection": "'1; mode=block'",
},
});
const exampleDeployment = new aws.apigateway.Deployment("example_deployment", {
restApi: example.id,
stageName: "dev",
});
export const apiEndpoint = exampleDeployment.invokeUrl;
In this example:
- An API Gateway resource and method are created.
- A mock integration is set up for demonstration purposes.
- Method and Integration responses are configured to include security headers for
GET
requests. - Finally, an API deployment is created.
This configuration ensures that every response from your API includes specific security headers to protect against various vulnerabilities.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.