Skip to content
Permalink
Browse files

Initial function

  • Loading branch information...
tdmalone committed Mar 29, 2018
1 parent 074e2b6 commit 10939dcd2ab1203d4319426e26cd1d6daea41a1d
Showing with 3,679 additions and 1 deletion.
  1. +6 −0 .eslintrc.js
  2. +5 −0 .gitignore
  3. +96 −0 .travis.yml
  4. +5 −1 README.md
  5. +62 −0 index.js
  6. +34 −0 package.json
  7. +35 −0 tests/fixtures/cloudfront-response.json
  8. +3,436 −0 yarn.lock
@@ -0,0 +1,6 @@

'use strict';

module.exports = {
extends: [ 'tdmalone' ]
};
@@ -0,0 +1,5 @@
/coverage/
/docs/
/node_modules/
*.log
package-lock.json
@@ -0,0 +1,96 @@
language: node_js
services: docker
node_js: 6.10

env:
global:

- AWS_ACCESS_KEY_ID=AKIAJD223QLN3PRDTPFQ
- AWS_DEFAULT_REGION=us-east-1

- LAMBDA_NAME=cloudfrontSecurityHeaders
- LAMBDA_DESCRIPTION=...
- LAMBDA_TIMEOUT=3
- LAMBDA_ROLE=arn:aws:iam::873114526714:role/genericLambdaEdgeRole
- LAMBDA_ALIAS=prod

- LAMBDA_RUNTIME=nodejs6.10
- LAMBDA_MODULE=index
- LAMBDA_HANDLER=handler

# AWS_SECRET_ACCESS_KEY
- secure: aWe5nRsH/ymoeWy+0Y+zFuZzrn7o+YC61aeZcZLkeU0y5WG5Oe5Pr4MJkH5BphvSVH2fUfxuCUtlbIFV3/DsJIwRfAeMP0TgJ0/78dsTJhOyWaeA5wIKMjoxUTDgrLhCIDQvaXv/F3+gtk9+iK0YCq5843DBODQo9+utCCz2W6704bXsO0vhAUvCxXKHBnEjyWj1ugXH9/8kHHZoxJ2HcUc+NiMUKaOO6JwqssYR63MYATrzjbgPDDGKJJRKBkR6itb8+nw27bwWXQ0g2Z7h4JsnNAIwTAAVNWBC0SsouhfziyV0S85PA9O80U0oh25sGL1DAAEa9crD7tZV9hT2mEmdDdOG1kGDDtWgzXLaREnb1KItMb8xMdV3qf4o3/ZJko1d0eyV8B1I1/o08y5fjajkXoUeKemFwDxsPcC3jSkbeZrEUm9fn5x7kTq6apD/I0gNE3xp55QOMo3j3oInOYnhLBYeCN7uxSO3LAE4MII6MFFAaUr3XU+r8VkcYx34HevrgHwt054GG80epbXaq/2AT716Y0r5zOPTPoUbehu+c/W4+tkd+hm5mNCm57lft95i07AO8QMTouXqZco/pV2U4w8jJou8Tn+1ufao8IQ5RqPDIBUKbp4j8ZczK4fZyM+YM5Z45A+rVIqx/gRYCBW/wxKV4nwxrY3+pnzqLwA=

cache:
yarn: true
directories:
- node_modules

install: yarn

script:
- yarn lint
- yarn test

before_deploy:
- yarn remove aws-sdk
- rm -rf coverage node_modules tests .*rc.js
- yarn --prod

deploy:

# Deploy to $LATEST on dev branch. (i.e. don't publish a new version).

- on:
branch: dev
publish: false

provider: lambda
function_name: $LAMBDA_NAME
region: $AWS_DEFAULT_REGION
role: $LAMBDA_ROLE
description: $LAMBDA_DESCRIPTION
runtime: $LAMBDA_RUNTIME
timeout: $LAMBDA_TIMEOUT
module_name: $LAMBDA_MODULE
handler_name: $LAMBDA_HANDLER
access_key_id: $AWS_ACCESS_KEY_ID
secret_access_key: $AWS_SECRET_ACCESS_KEY
skip_cleanup: true

# Deploy and publish a new version on master branch.

- on:
branch: master
publish: true

provider: lambda
function_name: $LAMBDA_NAME
region: $AWS_DEFAULT_REGION
role: $LAMBDA_ROLE
description: $LAMBDA_DESCRIPTION
runtime: $LAMBDA_RUNTIME
timeout: $LAMBDA_TIMEOUT
module_name: $LAMBDA_MODULE
handler_name: $LAMBDA_HANDLER
access_key_id: $AWS_ACCESS_KEY_ID
secret_access_key: $AWS_SECRET_ACCESS_KEY
skip_cleanup: true

after_deploy:

# Set a Lambda alias to the most recently deployed version.
- if [ "master" = "${TRAVIS_BRANCH}" ]; then
pip install awscli --upgrade --user;
export MOST_RECENT=$(aws lambda list-versions-by-function --function "${LAMBDA_NAME}" --max-items 10000 | node -e "let stdin=''; process.stdin.on('data',(chunk)=>{stdin+=chunk}).on('end',()=>{console.log(JSON.parse(stdin).Versions.pop().Version)})");
aws lambda update-alias --function-name "${LAMBDA_NAME}" --name "${LAMBDA_ALIAS}" --function-version "${MOST_RECENT}";
fi;

notifications:
email: false
webhooks:
urls: https://api.tm.id.au/v2/travis/jobStatus
slack:
on_start: always
rooms:
- secure: FxtoWhc6tUscuwade8CaBLrOXfm/PVSICN4SsJWjz/1n6WE+0ovxrfWogdu2AuI8ccAv+qIKgmEclK/Tl7x4+qQjkBQ/3vIHPpkYZqmSUMnsV5bno5EWa2Z6ZsDzMzFwhDC150amyT4DETwo6JJHPVdosd5nqMPS7wr/+M6rxQw4gkF7mq+TawJP1n9ubUdlmCLm6UROs0veLgRWfD97FUpVBb9QFefTcu+lbOKIaag7C59oLq3abXeOMKjJyzmYHynHN266UPoU3EYmbhVxr6nY57ML34J3aVbB9u+7+stLw5O0uWT8Czokb7YhW8WtgxD2YzBtQgiF8nEvOf15Xf2SyPRs1iNPtCPelOOuKcp6u1Bmf6SfI4jbKiOUCOgDGrXhmzMPb9fKlWFEHFmQlstPhXUtjHoemMoM5dw5zXqzcGCgJT2YC8PdJSH0gC/LealmKJF+c7Q6nC1ivL1x4NebgDI4gnYoFgxzlndTEmgqmwvL4nsMgE9qibiVgLgMMWW4G8GpyS4OKr/feD2ETarCuXPc4iqQ5l/opAa6Tljr7tOT2YofD+Q7h2nkeIhkAlisNijEeHTeMjaSAqqpqYvR2tHyzoY+7FPZDEcsQX6QpPra2Vjh+4Lb73AZKxNgMwOCXORA7kVSiybj6kcD7zCqFKQ+hePEPjPrQB3nFQk=
@@ -1 +1,5 @@
# cloudfront-security-headers
# Cloudfront Security Headers

A quick Lambda function to add security headers to an AWS CloudFront response.

At this stage, this function is entirely based off [this blog post](https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/) by AWS.
@@ -0,0 +1,62 @@
/**
* Add security related headers in to a CloudFront response.
*
* At this stage, this function is pretty much entirely based off
* https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/
*/

'use strict';

const FIRST_ITEM = 0;

exports.handler = ( event, context, callback ) => {

// Get contents of response.
const response = event.Records[ FIRST_ITEM ].cf.response;
const headers = response.headers;

// Set new headers.
headers['strict-transport-security'] = [ {
key: 'Strict-Transport-Security',
value: (
'max-age= 63072000; ' +
'includeSubdomains; ' +
'preload'
)
} ];

headers['content-security-policy'] = [ {
key: 'Content-Security-Policy',
value: (
'default-src \'none\'; ' +
'img-src \'self\'; ' +
'script-src \'self\'; ' +
'style-src \'self\'; ' +
'object-src \'none\''
)
} ];

headers['x-content-type-options'] = [ {
key: 'X-Content-Type-Options',
value: 'nosniff'
} ];

headers['x-frame-options'] = [ {
key: 'X-Frame-Options',
value: 'DENY'
} ];

headers['x-xss-protection'] = [ {
key: 'X-XSS-Protection',
value: '1; mode=block'
} ];

headers['referrer-policy'] = [ {
key: 'Referrer-Policy',
value: 'same-origin'
} ];

// Return modified response.
callback( null, response );

}; // Exports.handler.
@@ -0,0 +1,34 @@
{
"name": "cloudfront-security-headers",
"version": "0.0.0",
"description": "...",
"homepage": "https://github.com/tdmalone/cloudfront-security-headers#readme",
"repository": "git+https://github.com/tdmalone/cloudfront-security-headers.git",
"main": "index.js",
"author": "Tim Malone <tdmalone@gmail.com>",
"scripts": {
"lint": "DEBUG=eslint:cli-engine eslint --color --ignore-pattern '/coverage/' --ignore-pattern '/docs/' --ignore-pattern '!.eslintrc.js' \"**/*.js\"",
"fix": "yarn lint --fix",
"test": "yarn unit-tests && yarn execute",
"unit-tests": "jest --verbose --coverage",
"execute": "docker run --rm -e CI -v \"${PWD}\":/var/task lambci/lambda:nodejs6.10 index.handler \"$(cat tests/fixtures/cloudfront-response.json)\""
},
"keywords": [
"aws",
"lambda",
"cloudfront"
],
"jest": {
"testMatch": [
"**/tests/**/*.js"
]
},
"dependencies": {
},
"devDependencies": {
"eslint": "^4.8.0",
"eslint-config-tdmalone": "^0.0.1",
"jest": "^21.2.1",
"jest-tobetype": "^1.1.0"
}
}
@@ -0,0 +1,35 @@
{
"Records": [
{
"cf": {
"config": {
"distributionId": "EXAMPLE"
},
"response": {
"status": "200",
"headers": {
"last-modified": [
{
"value": "2016-11-25",
"key": "Last-Modified"
}
],
"vary": [
{
"value": "*",
"key": "Vary"
}
],
"x-amz-meta-last-modified": [
{
"value": "2016-01-01",
"key": "X-Amz-Meta-Last-Modified"
}
]
},
"statusDescription": "OK"
}
}
}
]
}

0 comments on commit 10939dc

Please sign in to comment.
You can’t perform that action at this time.