Adding custom security headers

[BrunoBernardino]

In case I'd like to add some custom headers like X-Frame-Options or Content-Security-Policy, it seems my only option is to add a CloudFront function or a Lambda@Edge function, as per the following resources:

• https://stackoverflow.com/questions/33144580/configuring-x-frame-options-response-header-on-aws-cloudfront-and-s3
• https://stackoverflow.com/questions/69227820/add-x-frame-options-header-to-all-urls-using-cloudfront-functions
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-add-security-headers.html
• https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-security-headers

I'd like to be able to set something like:

component: website
name: my-website

inputs:
  src: ./src
  domain: serverless.com
  bucketName: my-bucket
  headers:
    X-Frame-Options: DENY

I can try to help with a PR for this, but I'd appreciate some pointers on whether this is something you'd be interested in supporting, since there's only one other similar request and I couldn't find anything for custom headers in the code (only this hints at it, but it isn't the same thing)

[BrunoBernardino]

@eahefnawy / @ac360 I've noticed there hasn't been much activity here for almost a year. Let me know if there's a better component/thing to use instead! Thanks.

[weekwood]

AWS introduces response headers policies, when I modified it from cloudfront console and deploy again, ResponseHeadersPolicyId field got removed.

[mnapoli]

Hi, thanks for sharing the use case. That is an interesting feature request. To clarify a bit, note that there are no plans to implement (or review/test/merge a PR) that feature in the coming months.

[BrunoBernardino]

Thanks.