如何在serverless.yml中设置响应头?

时间:2018-03-14 09:41:39

标签: javascript amazon-web-services http-headers httpresponse serverless-framework

我有无服务器API,它使用无服务器框架版本1.25

由于安全原因,我想添加响应标头。请帮助我如何通过serverless.yml文件设置下面的标题。是否有必要为安全原因添加此标头?

•内容 - 安全 - 政策:包括default-src' self'

•Strict-Transport-Security max-age = 31536000; includeSubDomains;预加载

•X-Content-Type-Options:nosniff

•X-XSS-Protection:1

•缓存控制:max- age = 0; Expires = -1或Expires:Fri,1990年1月1日00:00:00 GMT; no-cache,must-revalidate

以下是我的无服务器应用程序serverless.yaml 

service: myService
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
   getMyFunction:
     handler: handler.getMyFunction
     timeout: 30
     events:
      - http:
          method: get
          path: api/getMyFunction/v1
          integration: lambda
          cors: true
          authorizer:
            name: authorizerFunc
            identitySource: method.request.header.Token
            authorizationType: AWS_IAM

3 个答案:

答案 0 :(得分:1)

您可以使用Lambda Proxy Integration。根据文档,您需要创建一个在有人访问您的API端点时运行的函数。

举个例子:

module.exports.hello = function(event,context,callback){

console.log(event); // Contains incoming request data (e.g., query params, headers and more)

const response = {
  statusCode: 200,
  headers: {
    "x-custom-header" : "My Header Value"
  },
  body: JSON.stringify({ "message": "Hello World!" })
};

  callback(null, response);
};

在您的serverless.yml 

functions:
 index:
   handler: handler.hello
   events:
     - http: GET hello

答案 1 :(得分:1)

由于您使用Lambda Integration,因此必须将其放在serverless.yml

service: myService
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
   getMyFunction:
     handler: handler.getMyFunction
     timeout: 30
     events:
      - http:
          method: get
          path: api/getMyFunction/v1
          integration: lambda
          cors: true
          authorizer:
            name: authorizerFunc
            identitySource: method.request.header.Token
            authorizationType: AWS_IAM
          response:
            headers:
              Content-Security-Policy: "'Include default-src 'self''"
              Strict-Transport-Security: "'max-age=31536000; includeSubDomains; preload'"
              X-Content-Type-Options: "'nosniff'"
              X-XSS-Protection: "'1'"
              Cache-Control: "'max-age=0; Expires=-1 or Expires: Fri, 01 Jan 1990 00:00:00 GMT; no-cache, must-revalidate'"

参考:https://serverless.com/framework/docs/providers/aws/events/apigateway#custom-response-headers

答案 2 :(得分:0)

service: myService 
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
  getMyFunction:
   handler: handler.getMyFunction
   timeout: 30
   events:
    - http:
      method: get
      path: api/getMyFunction/v1
      integration: lambda
      cors: true
      authorizer:
        name: authorizerFunc
        identitySource: method.request.header.Token
        authorizationType: AWS_IAM
      response:
        headers:
          Content-Security-Policy: "'Include default-src 'self''"
          Strict-Transport-Security: "'max-age=31536000; includeSubDomains; preload'"
          X-Content-Type-Options: "'nosniff'"
          X-XSS-Protection: "'1'"
          Cache-Control: "'max-age=0; Expires=-1 or Expires: Fri, 01 Jan 1990 00:00:00 GMT; no-cache, must-revalidate'"
相关问题
最新问题