How to improve and simplify security posture for HTTP responses

In this post, Zapproved shares an inside look at Amazon Web Services (AWS) recent advancements of Lambda@Edge. Because of these improvements, Zapproved can now provide a single, simple point of implementation when applying security related HTTP headers to all the responses served to our customers.

Protecting the privacy, confidentiality and security of our customers’ data is critical and one of the key tenets of secure software — keep implementations simple. So when the Zapproved team was invited to to preview a new capability in CloudFront (Amazon’s worldwide content distribution network otherwise known as a CDN), we jumped at the chance to simplify what had become a difficult security problem.

Applying security-related headers

Zapproved’s Digital Discovery Pro solution is composed of many HTTP API’s and an AWS S3 bucket for serving the static content of our products, such as HTML, CSS, and JavaScript. To keep track of these services, developers were individually responsible for making sure they included all the necessary security headers. This resulted in developers being required to work on many different pieces of code and deploy them at different times.

Our problem with this process was its inefficiency and room for error. When developers do the same work in multiple places they leave room for mistakes. Which can be difficult to find because they appear in only in a portion of our traffic. As shown above, it isn’t even possible to add the security headers we need for assets served from S3.

Enhancing security with Lambda@Edge

Amazon now has Lambda@Edge (still in preview as of this writing). It runs a small piece of code (known as a lambda function) for every HTTP response and allows the code to inspect, modify and add headers before the response is passed back to the user’s web browser.

This allows us to provide a single Lambda function to add additional HTTP headers to all responses served by CloudFront to our users’ web browsers. Instead of having this responsibility spread over multiple services and repeatedly implemented, we provide CloudFront with a single JavaScript function that gets called for all requests from our origin servers. We have one place to add recommended security headers like:

  • Strict-Transport-Security (makes sure that ALL traffic is served over HTTPS)
  • Content-Security-Policy (helps prevent cross-site scripting attacks)
  • X-Content-Type-Options (helps prevent against content interpretation exploits)</em
  • X-Frame-Options (helps prevent click-jacking)

At Zapproved, we are always trying to do more to enhance security. Amazon makes this simple by constantly creating great features in their AWS platform. These features allow us to offer easier, safer, and more cost effective solutions to our customers with a secure, leading edge product. Lambda@Edge simplifies and unifies our approach for applying security headers, which makes our developer’s lives easier and Digital Discovery Pro a safer place for confidential customer data.

AUTHOR: Chris Baker, Director of Engineering, Zapproved

Chris joined the Zapproved team due to the great people, products and opportunity to create a new SaaS product. His favorite outdoor activity is  boating the Northwest’s rivers, lakes and bays in kayaks and rafts.When Chris is not at work, you can catch him in the kitchen cooking.