我试图为由云端服务的亚马逊s3中托管的角度js应用程序设置X-Frame-Options HTTP响应头,我有可能做到吗?
解决方法
您可以使用
Lambda@Edge函数将x-frame-options标头添加到CloudFront / S3的响应中. lambda代码在本地边缘位置运行,但需要在us-east-1区域中创建和维护.
'use strict';
exports.handler = (event,context,callback) => {
const response = event.Records[0].cf.response;
const headers = response.headers;
response.headers['x-frame-options'] = [{"key":"X-Frame-Options","value":"SAMEORIGIN"}];
console.log(response.headers);
callback(null,response);
};
创建Lambda的最终版本,然后将Lambda Version的触发器配置设置为路径模式行为的CloudFront原始响应事件类型.
示例代码将事件记录到CloudWatch日志服务以进行调试.如果您还没有,则需要设置lambda执行IAM角色,该角色允许策略允许edgelambda.amazonaws.com和lambda.amazonaws.com承担CloudWatch日志操作.
允许将日志写入CloudWatch的基本Lambda执行策略:
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"
],"Resource": "arn:aws:logs:*:*:*","Effect": "Allow"
}
]
}
信任关系允许Lambda和Lambda @ Edge承担角色:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Principal": {
"Service": [
"edgelambda.amazonaws.com","lambda.amazonaws.com"
]
},"Action": "sts:AssumeRole"
}
]
}
如果AWS简单地允许在GUI中设置x-frame-options标头会更好,但在此之前,此解决方案可以正常运行,并且可以让您的安全审核员满意.
