/terraform-aws-cloudfront-security-headers

Terraform module to create a Lambda@Edge function to add best practice security headers and support HSTS preload requirements.

Primary LanguageHCLApache License 2.0Apache-2.0

terraform-aws-cloudfront-security-headers

Terraform module to create a Lambda@Edge function to add best practice security headers and support HSTS preload requirements.

Example

module "security_headers" {
  source                             = "Lupus-Metallum/cloudfront-security-headers/aws"
  version                            = "3.0.0"
  name                               = "AddSecurityHeaders"
  access_control_allow_methods       = "POST, GET, OPTIONS"
  access_control_allow_origin        = "https://example.com"
  content_security_policy            = "default-src 'self:'; img-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; object-src 'none'"
  referrer_policy                    = "same-origin"
  strict_transport_security          = "max-age=63072000; includeSubdomains; preload"
  x_content_type_options             = "nosniff"
  x_frame_options                    = "DENY"
  x_xss_protection                   = "1; mode=block"
  feature_policy                     = ""
}

Providers

Name Version
aws n/a

Resources

Name Type
aws_cloudfront_function.this resource
aws_partition.current data source

Inputs

Name Description Type Default Required
name Name to use for resource names created by this module string n/a yes
access_control_allow_methods Value to use for the Access-Control-Allow-Methods header, when not provided this header is omitted. string "" no
access_control_allow_origin Value to use for the Access-Control-Allow-Origin header, when not provided this header is omitted. string "" no
content_security_policy Value to use for the Content-Security-Policy header, when not provided this header is omitted. string "" no
description Description to use for resource description created by this module string "Adds security headers for Cloudfront" no
feature_policy Value to use for the Feature-Policy header, when not provided this header is omitted. string "" no
referrer_policy Value to use for the Referrer-Policy header, when not provided this header is omitted. string "" no
strict_transport_security Value to use for the Strict-Transport-Security header, when not provided this header is omitted. string "" no
x_content_type_options Value to use for the X-Content-Type-Options header, when not provided this header is omitted. string "" no
x_frame_options Value to use for the X-Frame-Options header, when not provided this header is omitted. string "" no
x_xss_protection Value to use for the X-XSS-Protection header, when not provided this header is omitted. string "" no

Outputs

Name Description
arn n/a