Search code examples
amazon-web-servicesaws-lambdaaws-api-gatewayserverlessrequest-headers

Handel custom header in AWS API Gateway?

I have used API gateway to build business logic for my app that invokes the lambda function. For security assurance, I have generated a VAT report of the base URL of API from my cyber security expert. A total of 9 Vulnerabilities have been detected including Four Medium, three low-level, and two informational-level vulnerabilities have been identified.

  1. (CSP) Wild Card Directive
  2. Content Security Policy (CSP) Header Not Set
  3. Cross-Domain Misconfiguration
  4. Missing Anti-clickjacking Header
  5. Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
  6. Timestamp Disclosure – Unix
  7. X-Content-Type-Options Header Missing
  8. Charset Mismatch
  9. Re-examine Cache Directives how can remove these all Vulnerabilities? is there a need to set or define custom headers? ( if yes then where and how I can do that, either be in API Gateway console or lambda script or in my client or app side code where this API Gateway base URL is invoking ) ?
Solution

  • One solution would be to integrate with AWS WAF for protecting your APIs against common web exploits.

    https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

    irt custom headers: https://aws.amazon.com/premiumsupport/knowledge-center/custom-headers-api-gateway-lambda/