1. Answers
  2. Adding Security-related Headers to API Gateway Responses

How do I add security-related headers to API Gateway responses?

To enhance the security of your API Gateway, adding specific headers to the responses is a crucial step. This can help in preventing a variety of attacks, including cross-site scripting (XSS) and clickjacking. Below is an example of how to achieve this by configuring a method response and integration response for your API Gateway in AWS.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.apigateway.RestApi("example", {
    name: "example-api",
    description: "Example API Gateway with security headers",
});
const exampleResource = new aws.apigateway.Resource("example_resource", {
    restApi: example.id,
    parentId: example.rootResourceId,
    pathPart: "example",
});
const exampleMethod = new aws.apigateway.Method("example_method", {
    restApi: example.id,
    resourceId: exampleResource.id,
    httpMethod: "GET",
    authorization: "NONE",
});
const exampleIntegration = new aws.apigateway.Integration("example_integration", {
    restApi: example.id,
    resourceId: exampleResource.id,
    httpMethod: exampleMethod.httpMethod,
    type: "MOCK",
    requestTemplates: {
        "application/json": "{"statusCode": 200}",
    },
});
const exampleResponse = new aws.apigateway.MethodResponse("example_response", {
    restApi: example.id,
    resourceId: exampleResource.id,
    httpMethod: exampleMethod.httpMethod,
    statusCode: "200",
    responseModels: {
        "application/json": "Empty",
    },
});
const exampleIntegrationResponse = new aws.apigateway.IntegrationResponse("example_integration_response", {
    restApi: example.id,
    resourceId: exampleResource.id,
    httpMethod: exampleMethod.httpMethod,
    statusCode: exampleResponse.statusCode,
    responseParameters: {
        "method.response.header.Strict-Transport-Security": "'max-age=63072000; includeSubdomains; preload'",
        "method.response.header.Content-Security-Policy": "'default-src 'self'; script-src 'self' https://apis.google.com'",
        "method.response.header.X-Content-Type-Options": "'nosniff'",
        "method.response.header.X-Frame-Options": "'DENY'",
        "method.response.header.X-XSS-Protection": "'1; mode=block'",
    },
});
const exampleDeployment = new aws.apigateway.Deployment("example_deployment", {
    restApi: example.id,
    stageName: "dev",
});
export const apiEndpoint = exampleDeployment.invokeUrl;

In this example:

  1. An API Gateway resource and method are created.
  2. A mock integration is set up for demonstration purposes.
  3. Method and Integration responses are configured to include security headers for GET requests.
  4. Finally, an API deployment is created.

This configuration ensures that every response from your API includes specific security headers to protect against various vulnerabilities.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up