Ensure AWS CloudFront response header policy enforces Strict Transport Security

Error: AWS CloudFront response header policy does not enforce Strict Transport Security

Bridgecrew Policy ID: BC_AWS_GENERAL_134
Checkov Check ID: CKV_AWS_259
Severity: LOW

AWS CloudFront response header policy does not enforce Strict Transport Security

Description

Enforcing Strict Transport Security (HSTS) in your AWS CloudFront response header policy can help to improve the security of your website or application.

HSTS is a security feature that tells web browsers to only communicate with a website using secure HTTPS connections, rather than insecure HTTP connections. This helps to prevent man-in-the-middle attacks and other types of vulnerabilities that could be exploited over an unencrypted connection.

Fix - Runtime

Fix - Buildtime

Terraform

resource "aws_cloudfront_response_headers_policy" "pass" {
  name    = "test"

  security_headers_config {
    strict_transport_security {
      access_control_max_age_sec = 31536000
      include_subdomains         = true
      override                   = true
      preload                    = true
    }
  }
}