Fix: Missing response headers (DataBiosphere/azul-private#135, DataBiosphere/azul-private#18, PR #6058)

achave11-ucsc · achave11-ucsc · commit 252eaa1736be · 2024-03-22T20:28:26.000-07:00
diff --git a/terraform/browser/add_response_security_headers.js b/terraform/browser/add_response_security_headers.js
@@ -6,12 +6,14 @@ function handler(event) {
     var headers = response.headers;
 
     // Set HTTP security headers
-    // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation 
-    headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; 
-    // headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"}; 
-    // headers['x-content-type-options'] = { value: 'nosniff'}; 
-    // headers['x-frame-options'] = {value: 'DENY'}; 
-    // headers['x-xss-protection'] = {value: '1; mode=block'}; 
+    // Since JavaScript doesn't allow for hyphens in variable names, we use the
+    // dict['key'] notation
+    headers['strict-transport-security'] = {
+        value: 'max-age=63072000; includeSubdomains; preload'
+    };
+    headers['x-content-type-options'] = { value: 'nosniff' };
+    headers['x-frame-options'] = { value: 'DENY' };
+    headers['x-xss-protection'] = { value: '1; mode=block' };
 
     // Return the response to viewers 
     return response;
