A Tale of SPA, AWS CloudFront, and Security Headers
I am sure many of you would have hosted Single Page Application (SPA) using Angular or React package deployed on AWS S3 and proxied via AWS CloudFront. It works like a charm!!!
But did you know that your application could be vulnerable to Frame Hijacking or Injection, Clickjacking and many more similar attacks if you did not follow some of the best practices to secure your application. Well, yes….I am talking about securing your application by adding Security Headers in the HTTP response of your application.
I have seen many folks who are not aware of such Security Headers or tend to forget adding these headers specially while hosting their SPA application using AWS CloudFront and S3 services. I also learnt it the hard way :( — when these security issues were discovered as part of Penetration Testing activity for one of the Client’s project I was working on.
You want to perform a quick test to check if your application is vulnerable to such attacks. There are many web sites who can help identify it. I generally hop on to — https://observatory.mozilla.org/.
Provide the URL of you site and it will provide result in no time. If your result look as below, then you need to tighten the security. How ??? Read the next section of the blog :)
