I have a React app hosted in AWS S3. To help secure it, I have implemented Lambda@Edge following the AWS guide: https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/
The Nodejs lambda is hosted in N. Virginia:
'use strict';
exports.handler = (event, context, callback) => {
//Get contents of response
const response = event.Records[0].cf.response;
const headers = response.headers;
//Set new headers
headers['strict-transport-security'] = [{key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubdomains; preload'}];
headers['content-security-policy'] = [{key: 'Content-Security-Policy', value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"}];
headers['x-content-type-options'] = [{key: 'X-Content-Type-Options', value: 'nosniff'}];
headers['x-frame-options'] = [{key: 'X-Frame-Options', value: 'DENY'}];
headers['x-xss-protection'] = [{key: 'X-XSS-Protection', value: '1; mode=block'}];
headers['referrer-policy'] = [{key: 'Referrer-Policy', value: 'same-origin'}];
//Return modified response
callback(null, response);
};
HSTS headers and the redirect from HTTP to HTTPS works fine in Google Chrome and Firefox, but Internet Explorer Edge does not redirect. It loads the page over HTTP and has the alert "Not Secure" next to the address bar.
Looking at the network tab in Internet explorer shows the Strict-Transport-Security header in the response. Everything I have research suggests that IE supports HSTS so I am not sure why Edge is not redirecting to HTTPS and instead loading the page over HTTP. I would like to prevent any content being loaded over HTTP.
I have valid certs and domain and everything purchased through AWS, everything works as expected with Firefox and Chrome, just not IE.
