Add HTTP Strict Transport Security (HSTS) in AWS Gateway (REST API)

Question

Our security team wants all our Rest API on AWS to have HTTP Strict Transport Security (HSTS) header set, even though our api's are not called from any webpages.

I have found some use cases on setting response headers in Lambda response but most of our api's are linked to SQS or SNS. So i'm not sure how to add this response header in AWS API GW.

Can anyone guide me on this.

Answer 1

I was able to find a solution to add the strict Transport Security (HSTS) response header. I have done this through AWS console.

Step 1: Add the Strict-Transport-Security header under Method Response Status code.

Step 2: Under Integration Response, add the necessary mapping value for HSTS header. Attached is the sample i have tried with. The values has to be provided in single quotes(').

Step 3: Verified the same on securityheaders.com website.

Answer 2

When setting this using Cloudformation and the x-amazon-apigateway-integration be aware to put these header values into single quotes in between double quotes.. ("'my value here'")

e.g.

responses:
  '200':
    description: 200 response for stackoverflow
    headers:
      Content-Length:
        type: string
      Timestamp:
        type: string
      Content-Type:
        type: string
      Strict-Transport-Security:
        type: string

...

x-amazon-apigateway-integration:
  responses:
    '200':
      statusCode: '200'
      responseParameters:
        method.response.header.Strict-Transport-Security: "'max-age=31536000'"