CSP for AWS Cloudfront Lambda@Edge
Pre-reqs:
- In AWS, set up a static site hosted in an S3 bucket.
- Set the permissions on the S3 bucket to include a public access policy and Cloudfront Object Access Identity.
- Set up Cloudfront to serve the content in the S3 bucket.
Config:
- Goto Lambda and make sure you're in US-East-1
- Create a new function, make it Node.js.6.10
- Dump in your CSP.js, configured to do what you want. Note: start small and build your policy gradually.
- Save your code.
- Publish your code and make a note of the ARN (including version number).
- Select Cloudfront as a trigger, select Origin-Response and select the distribution that you're going to use.
- Save.
- Goto Cloudfront, select your distribution and edit behaviours.
- Scroll to the bottom and add a new Lambda Function Association.
- Paste in the ARN from Lambda and select Origin-Response.
- Hit save and wait for the distribution to redeploy.
- Goto Mozilla Observatory [https://observatory.mozilla.org/] and test your policy.
Test site via Cloudfront (whilst waiting for pesky HPKP to invalidate): https://d2jy424jiv3w24.cloudfront.net