Add HTTP Strict Transport Security (HSTS) in AWS Gateway (REST API)

Question

Our security team wants all our Rest API on AWS to have HTTP Strict Transport Security (HSTS) header set, even though our api's are not called from any webpages.

I have found some use cases on setting response headers in Lambda response but most of our api's are linked to SQS or SNS. So i'm not sure how to add this response header in AWS API GW.

Can anyone guide me on this.

score 9 · Answer 1 · edited Dec 08 '20 at 23:06

9

I was able to find a solution to add the strict Transport Security (HSTS) response header. I have done this through AWS console.

Step 1: Add the Strict-Transport-Security header under Method Response Status code.

Step 2: Under Integration Response, add the necessary mapping value for HSTS header. Attached is the sample i have tried with. The values has to be provided in single quotes(').

Step 3: Verified the same on securityheaders.com website.

edited Dec 08 '20 at 23:06

Ruben Helsloot

12,582
6
26
49

answered Dec 02 '20 at 15:08

Hanumanth Reddy Aredla

277
1
2
11

3

Any advice for proxy integrations? The error message in step 2 is : Proxy integrations cannot be configured to transform responses. – Bryan Stump Jan 22 '21 at 15:49
3

@BryanStump For proxy integrations, you have to pass the headers in the Program Response rather than setting it in the API gateway. In your response payload add headers key to set these. Below is a sample response of my lambda. { "statusCode": "200", "headers": { "content-type": "application/json", "Strict-Transport-Security" : "max-age=63072000; includeSubDomains; preload" } "body": "", "isBase64Encoded": "false" } – Hanumanth Reddy Aredla Jan 23 '21 at 09:29

score 5 · Answer 2 · answered Dec 01 '21 at 16:09

When setting this using Cloudformation and the x-amazon-apigateway-integration be aware to put these header values into single quotes in between double quotes.. ("'my value here'")

e.g.

responses:
  '200':
    description: 200 response for stackoverflow
    headers:
      Content-Length:
        type: string
      Timestamp:
        type: string
      Content-Type:
        type: string
      Strict-Transport-Security:
        type: string

...

x-amazon-apigateway-integration:
  responses:
    '200':
      statusCode: '200'
      responseParameters:
        method.response.header.Strict-Transport-Security: "'max-age=31536000'"

This works perfectly for Cloudformation, thank you – Mr Pablo Oct 13 '22 at 11:25 — Mr Pablo, Oct 13 '22 at 11:25

Add HTTP Strict Transport Security (HSTS) in AWS Gateway (REST API)

2 Answers2