Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Construct Hub

Contribute

@aws-cdk/aws-cloudfront

The CDK Construct Library for AWS::CloudFront

AWS CDK v1

ServerlessUtilitiesNetworkLoad BalancerLoad BalancingVPCEdgecloudfront
AWS icon

AWS

33,243 Weekly downloads

Author Amazon Web Services

Published

Repository github.com

License Apache-2.0

Registry www.npmjs.com 

npm install @aws-cdk/aws-cloudfront@1.144.0

ResponseHeadersXSSProtection

Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value.

Example

// Using an existing managed response headers policy
declare const bucketOrigin: origins.S3Origin;
new cloudfront.Distribution(this, 'myDistManagedPolicy', {
  defaultBehavior: {
    origin: bucketOrigin,
    responseHeadersPolicy: cloudfront.ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS,
  },
});


// Creating a custom response headers policy -- all parameters optional
const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
  responseHeadersPolicyName: 'MyPolicy',
  comment: 'A default policy',
  corsBehavior: {
    accessControlAllowCredentials: false,
    accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
    accessControlAllowMethods: ['GET', 'POST'],
    accessControlAllowOrigins: ['*'],
    accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
    accessControlMaxAge: Duration.seconds(600),
    originOverride: true,
  },
  customHeadersBehavior: {
    customHeaders: [
      { header: 'X-Amz-Date', value: 'some-value', override: true },
      { header: 'X-Amz-Security-Token', value: 'some-value', override: false },
    ],
  },
  securityHeadersBehavior: {
    contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
    contentTypeOptions: { override: true },
    frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
    referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
    strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
    xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
  },
});
new cloudfront.Distribution(this, 'myDistCustomPolicy', {
  defaultBehavior: {
    origin: bucketOrigin,
    responseHeadersPolicy: myResponseHeadersPolicy,
  },
});

Initializer 

import { ResponseHeadersXSSProtection } from '@aws-cdk/aws-cloudfront'


const responseHeadersXSSProtection: ResponseHeadersXSSProtection = { ... }

Properties

NameTypeDescription
overridebooleanA Boolean that determines whether CloudFront overrides the X-XSS-Protection HTTP response header received from the origin with the one specified in this response headers policy.
protectionbooleanA Boolean that determines the value of the X-XSS-Protection HTTP response header.
modeBlockbooleanA Boolean that determines whether CloudFront includes the mode=block directive in the X-XSS-Protection header.
reportUristringA reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header.
overrideRequired 
public readonly override: boolean;
  • Type: boolean

A Boolean that determines whether CloudFront overrides the X-XSS-Protection HTTP response header received from the origin with the one specified in this response headers policy.

protectionRequired 
public readonly protection: boolean;
  • Type: boolean

A Boolean that determines the value of the X-XSS-Protection HTTP response header.

When this setting is true, the value of the X-XSS-Protection header is 1. When this setting is false, the value of the X-XSS-Protection header is 0.

modeBlockOptional 
public readonly modeBlock: boolean;
  • Type: boolean
  • Default: false

A Boolean that determines whether CloudFront includes the mode=block directive in the X-XSS-Protection header.

reportUriOptional 
public readonly reportUri: string;
  • Type: string
  • Default: no report uri

A reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header.

You cannot specify a ReportUri when ModeBlock is true.

Provide feedback to publisher
Provide feedback to Construct Hub
Report abuse