-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
s3 sync cannot set custom header (static website) #818
Comments
Really, the AWS CLI can't set HSTS header in S3 right now? That's sort of a dealbreaker. |
There is some discussion on the AWS forums - Unfortunately S3 itself only supports a limited set of headers, and other headers have to be prefixed with x-amz-meta. HSTS isn't on the approved list of headers. Presumably they're worried visiting https://s3.amazonaws.com/some-bucket/ could set an IncludeSubdomains HSTS header, then a visit to http://other.bucket.s3.amazonaws.com/ would be directed to https://other.bucket.s3.amazonaws.com/ which would fail as it isn't covered by the wildcard certificate. If you're using CloudFlare to add HTTPS to a static website hosted on S3, they've mentioned plans to add the HSTS header themselves so that might be an option of S3 doesn't get around to sorting this out :) |
If I'm understanding the issue correctly, this would require a fix to the S3 API to allow for this header to be specified. This means there's nothing we can on the AWS CLI side until S3 itself supports this. I'm going to close this issue out for now. Once S3 supports this we can revisit this again. |
The S3 API DOES support adding custom headers - per the original report s3cmd does this using the s3 api.... My use case is using s3 behind cloudfront and it is easiest to set all my headers in S3, including Public-Key-Pins and x-frame-options etc. eg.
I am explaining this as a +1 to allow the cli to set any header you want.. it is a real need. I can do this with s3cmd but not aws cli - so need to use both tools. |
@richp10 I've tried to set my s3 bucket with an x-frame-options header and still i cannot seem to see it when retrieving response headers or my clickjacking PoC, so that I am still able to use an iframe to show my s3 content (ex: static index.html). this is what i've executed so far : s3cmd --acl-public s3://xxxx-bucket/index.html --add-header="X-Frame-Options:sameorigin" this is what i get from a curl -s -v
< HTTP/1.1 200 OK any ideas ? thank you |
Strewth - I'm really sorry - my previous post was in error. s3cmd does not show any error when you set headers other than cache-control - but the headers are not actually changed on S3. This functionality is not supported by S3. I forgot to come back and comment on my post - but have moved on to look at how I can use Cloudfront to add the correct headers. My own use-case needs lots of flexibility so I am planning on using the new Lamda@edge gizmo to add precisely the headers I need. There is some native support for cors headers using cloudfront and s3 - eg. see http://blog.celingest.com/en/2014/10/02/tutorial-using-cors-with-cloudfront-and-s3/ Unless you front the S3 with Cloudfront I don't think there is anyway of achieving what you need. Sorry again my previous post misled you.. |
No worries, thank you for the heads up! |
@richp10 Do you have a way to prevent clickjacking using aws WAF and/or cloudfront ? Would really appreciate any hindsight on this if possible. Thank You |
I am personally hoping to use Lamda@edge to have complete control over security headers - but there might be a way of doing what you without that complexity. Make sure you understant how CORS works - then read this: http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html - which explains how to get S3 to return CORS headers. I think you need to set the 'allowed origin' header to the domain (or wildcarded domain) that you want to be able to load js from this bucket. Then, in Cloudfront, you must whitelist the following request headers so S3 knows what to do.. I have not tested this so don't even take my word that this is possible / will work - but I think it will and it is certainly worth exploring (this is what I plan to explore if I can't get the lamda approach working..) |
I have tried to change the distribution behaviour so that would whitelist those 3 headers. Still it didn't work. I spoke with someone from their Help Center and an engineer from S3 said that the only viable option to ensure HSTS would be to sue a function in Lambda@Edge as we talked. Thank you for the help anyway. |
Need to be able to set custom headers like with s3cmd's
--add-header
use case
We currently need the ability to set HSTS headers for our html files
The text was updated successfully, but these errors were encountered: