I have used API gateway to build business logic for my app that invokes lambda function. For security assurance, I have generated a VAT report of the base URL of API from my cyber security expert. A total of 9 Vulnerabilities have been detected including Four Medium, three low-level, and two informational-level vulnerabilities have been identified.
- (CSP) Wild Card Directive
- Content Security Policy (CSP) Header Not Set
- Cross-Domain Misconfiguration
- Missing Anti-clickjacking Header
- Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
- Timestamp Disclosure – Unix
- X-Content-Type-Options Header Missing
- Charset Mismatch
- Re-examine Cache Directives
how can remove these all Vulnerability ? is there a need to set or define custom headers? ( if yes then where and how I can do that, either be in API Gateway console or lambda script or in my client or app side code where this API Gateway base URL is invoking ) ?
Top comments (1)
Hi !
So I found some solution from aws repost.
It depends on your requirements and whether you expect the headers to be sent as part of the client request or need to add the headers before the request hits the API Gateway.
If you need to block client requests if some headers are missing, you can associate a WAF ACL with the API Gateway and define rules to block requests without mandatory headers
Look at these two for guidance
docs.aws.amazon.com/apigateway/lat...
aws.amazon.com/premiumsupport/know...
If the requirement is that the headers need to be added to the request before the request reaches the API Gateway even if the client did not send the headers, you can do so using Lambda@Edge with a Cloudfront distribution in front of your API Gateway.
Look at these for guidance
aws.amazon.com/blogs/networking-an... (this example shows response headers but you can use similar concepts to the request headers with some changes)
docs.amazonaws.cn/en_us/AmazonClou...
Some examples of Lambda@Edge functions - docs.aws.amazon.com/AmazonCloudFro...