From 5cbc6d42099e3edca4edc45a426cc8d302e1b941 Mon Sep 17 00:00:00 2001
From: jjcallis <jjcallis@users.noreply.github.com>
Date: Mon, 25 Sep 2023 11:02:29 +0100
Subject: [PATCH] Update aws_cloudfront_distribution.tf

---
 aws_cloudfront_distribution.tf | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/aws_cloudfront_distribution.tf b/aws_cloudfront_distribution.tf
index 1d943a5..0eb519a 100644
--- a/aws_cloudfront_distribution.tf
+++ b/aws_cloudfront_distribution.tf
@@ -40,6 +40,8 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 
   #caching
   default_cache_behavior {
+   response_headers_policy_id = aws_cloudfront_response_headers_policy.security_headers_policy.id
+
     min_ttl     = var.cloudfront_cache_min_ttl
     default_ttl = var.cloudfront_cache_default_ttl
     max_ttl     = var.cloudfront_cache_max_ttl
@@ -93,3 +95,41 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 }
 
 resource "aws_cloudfront_origin_access_identity" "current" {}
+
+ resource "aws_cloudfront_response_headers_policy" "security_headers_policy" {
+  name = "${var.distribution_name}-cloudfront-security-headers-policy"
+  security_headers_config {
+    # https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
+    # content_type_options {
+    #   override = true
+    # }
+    # https://infosec.mozilla.org/guidelines/web_security#x-frame-options
+    frame_options {
+      frame_option = "DENY"
+      override = true
+    }
+    # https://infosec.mozilla.org/guidelines/web_security#referrer-policy
+    # referrer_policy {
+    #   referrer_policy = "same-origin"
+    #   override = true
+    # }
+    # https://infosec.mozilla.org/guidelines/web_security#content-security-policy
+    # xss_protection {
+    #   mode_block = true
+    #   protection = true
+    #   override = true
+    # }
+    # https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security
+    strict_transport_security {
+      access_control_max_age_sec = "63072000"
+      include_subdomains = true
+      preload = true
+      override = true
+    }
+    # https://infosec.mozilla.org/guidelines/web_security#content-security-policy
+    # content_security_policy {
+    #   content_security_policy = "frame-ancestors 'none'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"
+    #   override = true
+    # }
+  }
+}