HSTS on Amazon CloudFront from S3 origin

Solution 1:

An update on this...

HTTP response headers can now be customized via Lambda@edge functions. Please see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html for the documentation. To try this, create a new lambda function in the AWS console. Choose 'Edge Nodge.js 4.3' for the language and look for the cloudfront-modify-response-header template. If you do this, Lambda will ask you which CloudFront distribution and event to apply the function to. Note that you can edit or change this at any time by going to the Cloudfront behavior tab.

Here's an example lambda function...

'use strict';
exports.handler = (event, context, callback) => {

    const response = event.Records[0].cf.response;
    response.headers['Strict-Transport-Security'] = 'max-age=2592000; includeSubDomains';

    callback(null, response);
};

Solution 2:

It is not currently possible, see https://forums.aws.amazon.com/thread.jspa?threadID=162252 for a discussion about it.

Edit: Lambda@Edge has made it possible, see below.

---

Solution 3:

To add to Andrew's answer:

I have just tried this and a couple of notes: There is no longer specific edge nodejs runtime, but the lambda needs to be created in the N Virginia region and triggered by cloudfront origin-response or viewer-response.

The code out of the box doesnt seem to work any more. It gives ERR_CONTENT_DECODING_FAILED.

Solution is to use json syntax as follows:

response.headers['Strict-Transport-Security'] = [ { key: 'Strict-Transport-Security', value: "max-age=31536000; includeSubdomains; preload" } ];
response.headers['X-Content-Type-Options']    = [ { key: 'X-Content-Type-Options', value: "nosniff" } ];