UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

365 lines (364 loc) 14.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
import { Construct } from 'constructs'; import { Duration, Resource } from '../../core'; /** * Represents a response headers policy. */ export interface IResponseHeadersPolicy { /** * The ID of the response headers policy * @attribute **/ readonly responseHeadersPolicyId: string; } /** * Properties for creating a Response Headers Policy */ export interface ResponseHeadersPolicyProps { /** * A unique name to identify the response headers policy. * * @default - generated from the `id` */ readonly responseHeadersPolicyName?: string; /** * A comment to describe the response headers policy. * * @default - no comment */ readonly comment?: string; /** * A configuration for a set of HTTP response headers that are used for cross-origin resource sharing (CORS). * * @default - no cors behavior */ readonly corsBehavior?: ResponseHeadersCorsBehavior; /** * A configuration for a set of custom HTTP response headers. * * @default - no custom headers behavior */ readonly customHeadersBehavior?: ResponseCustomHeadersBehavior; /** * A configuration for a set of security-related HTTP response headers. * * @default - no security headers behavior */ readonly securityHeadersBehavior?: ResponseSecurityHeadersBehavior; /** * A list of HTTP response headers that CloudFront removes from HTTP responses * that it sends to viewers. * * @default - no headers are removed */ readonly removeHeaders?: string[]; /** * The percentage of responses that you want CloudFront to add the Server-Timing * header to. * * @default - no Server-Timing header is added to HTTP responses */ readonly serverTimingSamplingRate?: number; } /** * A Response Headers Policy configuration * * @resource AWS::CloudFront::ResponseHeadersPolicy */ export declare class ResponseHeadersPolicy extends Resource implements IResponseHeadersPolicy { /** Use this managed policy to allow simple CORS requests from any origin. */ static readonly CORS_ALLOW_ALL_ORIGINS: IResponseHeadersPolicy; /** Use this managed policy to allow CORS requests from any origin, including preflight requests. */ static readonly CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT: IResponseHeadersPolicy; /** Use this managed policy to add a set of security headers to all responses that CloudFront sends to viewers. */ static readonly SECURITY_HEADERS: IResponseHeadersPolicy; /** Use this managed policy to allow simple CORS requests from any origin and add a set of security headers to all responses that CloudFront sends to viewers. */ static readonly CORS_ALLOW_ALL_ORIGINS_AND_SECURITY_HEADERS: IResponseHeadersPolicy; /** Use this managed policy to allow CORS requests from any origin, including preflight requests, and add a set of security headers to all responses that CloudFront sends to viewers. */ static readonly CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS: IResponseHeadersPolicy; /** * Import an existing Response Headers Policy from its ID. */ static fromResponseHeadersPolicyId(scope: Construct, id: string, responseHeadersPolicyId: string): IResponseHeadersPolicy; private static fromManagedResponseHeadersPolicy; readonly responseHeadersPolicyId: string; constructor(scope: Construct, id: string, props?: ResponseHeadersPolicyProps); private _renderCorsConfig; private _renderCustomHeadersConfig; private _renderSecurityHeadersConfig; private _renderRemoveHeadersConfig; private _renderServerTimingHeadersConfig; } /** * Configuration for a set of HTTP response headers that are used for cross-origin resource sharing (CORS). * CloudFront adds these headers to HTTP responses that it sends for CORS requests that match a cache behavior * associated with this response headers policy. */ export interface ResponseHeadersCorsBehavior { /** * A Boolean that CloudFront uses as the value for the Access-Control-Allow-Credentials HTTP response header. */ readonly accessControlAllowCredentials: boolean; /** * A list of HTTP header names that CloudFront includes as values for the Access-Control-Allow-Headers HTTP response header. * You can specify `['*']` to allow all headers. */ readonly accessControlAllowHeaders: string[]; /** * A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header. * * Allowed methods: `'GET'`, `'DELETE'`, `'HEAD'`, `'OPTIONS'`, `'PATCH'`, `'POST'`, and `'PUT'`. * You can specify `['ALL']` to allow all methods. */ readonly accessControlAllowMethods: string[]; /** * A list of origins (domain names) that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header. * You can specify `['*']` to allow all origins. */ readonly accessControlAllowOrigins: string[]; /** * A list of HTTP headers that CloudFront includes as values for the Access-Control-Expose-Headers HTTP response header. * You can specify `['*']` to expose all headers. * * @default - no headers exposed */ readonly accessControlExposeHeaders?: string[]; /** * A number that CloudFront uses as the value for the Access-Control-Max-Age HTTP response header. * * @default - no max age */ readonly accessControlMaxAge?: Duration; /** * A Boolean that determines whether CloudFront overrides HTTP response headers received from the origin with the ones specified in this response headers policy. */ readonly originOverride: boolean; } /** * Configuration for a set of HTTP response headers that are sent for requests that match a cache behavior * that’s associated with this response headers policy. */ export interface ResponseCustomHeadersBehavior { /** * The list of HTTP response headers and their values. */ readonly customHeaders: ResponseCustomHeader[]; } /** * An HTTP response header name and its value. * CloudFront includes this header in HTTP responses that it sends for requests that match a cache behavior that’s associated with this response headers policy. */ export interface ResponseCustomHeader { /** * The HTTP response header name. */ readonly header: string; /** * A Boolean that determines whether CloudFront overrides a response header with the same name * received from the origin with the header specified here. */ readonly override: boolean; /** * The value for the HTTP response header. */ readonly value: string; } /** * Configuration for a set of security-related HTTP response headers. * CloudFront adds these headers to HTTP responses that it sends for requests that match a cache behavior * associated with this response headers policy. */ export interface ResponseSecurityHeadersBehavior { /** * The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. * * @default - no content security policy */ readonly contentSecurityPolicy?: ResponseHeadersContentSecurityPolicy; /** * Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff. * * @default - no content type options */ readonly contentTypeOptions?: ResponseHeadersContentTypeOptions; /** * Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value. * * @default - no frame options */ readonly frameOptions?: ResponseHeadersFrameOptions; /** * Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value. * * @default - no referrer policy */ readonly referrerPolicy?: ResponseHeadersReferrerPolicy; /** * Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value. * * @default - no strict transport security */ readonly strictTransportSecurity?: ResponseHeadersStrictTransportSecurity; /** * Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value. * * @default - no xss protection */ readonly xssProtection?: ResponseHeadersXSSProtection; } /** * The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. */ export interface ResponseHeadersContentSecurityPolicy { /** * The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. */ readonly contentSecurityPolicy: string; /** * A Boolean that determines whether CloudFront overrides the Content-Security-Policy HTTP response header * received from the origin with the one specified in this response headers policy. */ readonly override: boolean; } /** * Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff. */ export interface ResponseHeadersContentTypeOptions { /** * A Boolean that determines whether CloudFront overrides the X-Content-Type-Options HTTP response header * received from the origin with the one specified in this response headers policy. */ readonly override: boolean; } /** * Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value. */ export interface ResponseHeadersFrameOptions { /** * The value of the X-Frame-Options HTTP response header. */ readonly frameOption: HeadersFrameOption; /** * A Boolean that determines whether CloudFront overrides the X-Frame-Options HTTP response header * received from the origin with the one specified in this response headers policy. */ readonly override: boolean; } /** * Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value. */ export interface ResponseHeadersReferrerPolicy { /** * The value of the Referrer-Policy HTTP response header. */ readonly referrerPolicy: HeadersReferrerPolicy; /** * A Boolean that determines whether CloudFront overrides the Referrer-Policy HTTP response header * received from the origin with the one specified in this response headers policy. */ readonly override: boolean; } /** * Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value. */ export interface ResponseHeadersStrictTransportSecurity { /** * A number that CloudFront uses as the value for the max-age directive in the Strict-Transport-Security HTTP response header. */ readonly accessControlMaxAge: Duration; /** * A Boolean that determines whether CloudFront includes the includeSubDomains directive in the Strict-Transport-Security HTTP response header. * * @default false */ readonly includeSubdomains?: boolean; /** * A Boolean that determines whether CloudFront overrides the Strict-Transport-Security HTTP response header * received from the origin with the one specified in this response headers policy. */ readonly override: boolean; /** * A Boolean that determines whether CloudFront includes the preload directive in the Strict-Transport-Security HTTP response header. * * @default false */ readonly preload?: boolean; } /** * Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value. */ export interface ResponseHeadersXSSProtection { /** * A Boolean that determines whether CloudFront includes the mode=block directive in the X-XSS-Protection header. * * @default false */ readonly modeBlock?: boolean; /** * A Boolean that determines whether CloudFront overrides the X-XSS-Protection HTTP response header * received from the origin with the one specified in this response headers policy. */ readonly override: boolean; /** * A Boolean that determines the value of the X-XSS-Protection HTTP response header. * When this setting is true, the value of the X-XSS-Protection header is 1. * When this setting is false, the value of the X-XSS-Protection header is 0. */ readonly protection: boolean; /** * A reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header. * You cannot specify a ReportUri when ModeBlock is true. * * @default - no report uri */ readonly reportUri?: string; } /** * Enum representing possible values of the X-Frame-Options HTTP response header. */ export declare enum HeadersFrameOption { /** * The page can only be displayed in a frame on the same origin as the page itself. */ DENY = "DENY", /** * The page can only be displayed in a frame on the specified origin. */ SAMEORIGIN = "SAMEORIGIN" } /** * Enum representing possible values of the Referrer-Policy HTTP response header. */ export declare enum HeadersReferrerPolicy { /** * The referrer policy is not set. */ NO_REFERRER = "no-referrer", /** * The referrer policy is no-referrer-when-downgrade. */ NO_REFERRER_WHEN_DOWNGRADE = "no-referrer-when-downgrade", /** * The referrer policy is origin. */ ORIGIN = "origin", /** * The referrer policy is origin-when-cross-origin. */ ORIGIN_WHEN_CROSS_ORIGIN = "origin-when-cross-origin", /** * The referrer policy is same-origin. */ SAME_ORIGIN = "same-origin", /** * The referrer policy is strict-origin. */ STRICT_ORIGIN = "strict-origin", /** * The referrer policy is strict-origin-when-cross-origin. */ STRICT_ORIGIN_WHEN_CROSS_ORIGIN = "strict-origin-when-cross-origin", /** * The referrer policy is unsafe-url. */ UNSAFE_URL = "unsafe-url" }