How to improve and simplify security posture for HTTP responses
In this post, Zapproved shares an inside look at Amazon Web Services (AWS) recent advancements of Lambda@Edge. Because of these improvements, Zapproved can now provide a single, simple point of implementation when applying security related HTTP headers to all the responses served to our customers.
Protecting the privacy, confidentiality and security of our customers’ data is critical and one of the key tenets of secure software — keep implementations simple. So when the Zapproved team was invited to to preview a new capability in CloudFront (Amazon’s worldwide content distribution network otherwise known as a CDN), we jumped at the chance to simplify what had become a difficult security problem.
Applying security-related headers
Our problem with this process was its inefficiency and room for error. When developers do the same work in multiple places they leave room for mistakes. Which can be difficult to find because they appear in only in a portion of our traffic. As shown above, it isn’t even possible to add the security headers we need for assets served from S3.
Enhancing security with Lambda@Edge
Amazon now has Lambda@Edge (still in preview as of this writing). It runs a small piece of code (known as a lambda function) for every HTTP response and allows the code to inspect, modify and add headers before the response is passed back to the user’s web browser.
- Strict-Transport-Security (makes sure that ALL traffic is served over HTTPS)
- Content-Security-Policy (helps prevent cross-site scripting attacks)
- X-Content-Type-Options (helps prevent against content interpretation exploits)
- X-Frame-Options (helps prevent click-jacking)
At Zapproved, we are always trying to do more to enhance security. Amazon makes this simple by constantly creating great features in their AWS platform. These features allow us to offer easier, safer, and more cost effective solutions to our customers with a secure, leading edge product. Lambda@Edge simplifies and unifies our approach for applying security headers, which makes our developer’s lives easier and Digital Discovery Pro a safer place for confidential customer data.
Director of Engineering, Zapproved
Chris joined the Zapproved team due to the great people, products and opportunity to create a new SaaS product. His favorite outdoor activity is boating the Northwest’s rivers, lakes and bays in kayaks and rafts.When Chris is not at work, you can catch him in the kitchen cooking.