amplify-hosting icon indicating copy to clipboard operation
amplify-hosting copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Custom headers missing from redirect response

Open mulderje opened this issue 4 years ago • 18 comments

Please describe which feature you have a question about? Is it possible to have headers in a redirect response? As an example, if I want to be able to set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload to be HSTS compliant is that possible? I need to be able to serve that on example.com in addition to just on www.example.com. Any guidance would be much appreciated.

Provide additional details In my build settings I have the below:

  customHeaders:
    - pattern: '**/*'
      headers:
        - key: 'Strict-Transport-Security'
          value: 'max-age=31536000; includeSubDomains; preload'
        - key: 'X-Frame-Options'
          value: 'SAMEORIGIN'
        - key: 'X-XSS-Protection'
          value: '1; mode=block'
        - key: 'X-Content-Type-Options'
          value: 'nosniff'
        - key: 'Content-Security-Policy'
          value: "default-src 'none'; script-src 'self';... snipped"
        - key: 'Referrer-Policy'
          value: 'same-origin'

I have the below in my redirects (domain changed):

[
    {
        "source": "http://example.com",
        "target": "https://www.example.com",
        "status": "301",
        "condition": null
    },
    {
        "source": "http://www.example.com",
        "target": "https://www.example.com",
        "status": "301",
        "condition": null
    },
    {
        "source": "https://example.com",
        "target": "https://www.example.com",
        "status": "301",
        "condition": null
    },
    {
        "source": "/<*>",
        "target": "/index.html",
        "status": "404",
        "condition": null
    }
]

Right now when looking at the headers for http://example.com I see the below:

HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Content-Length: 183
Content-Type: text/html
Date: Sun, 26 Apr 2020 16:55:37 GMT
Location: https://exmple.com/
Server: CloudFront
Via: 1.1 redacted.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 3yRuneR4WhJxPryPpeOnDukKPiEDsvyuz3ZuwPLYJBKmvnVlo9qW_g==
X-Amz-Cf-Pop: EWR52-C4
X-Cache: Redirect from cloudfront

Likewise for https://example.com:

HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Content-Length: 0
Date: Sun, 26 Apr 2020 17:10:22 GMT
Location: https://www.example.com/
Server: CloudFront
Via: 1.1 redacted.cloudfront.net (CloudFront)
X-Amz-Cf-Id: QrwGwtEutf550fxyPWiivTyr51MnOxd1ekIMlIZlIZ88ejX-URcI2g==
X-Amz-Cf-Pop: EWR52-C1
X-Cache: Miss from cloudfront

App id: d2gjczoto5f568

mulderje avatar Apr 26 '20 17:04 mulderje