Draft

I borrowed a script from this article, Serving custom headers from static sites on CloudFront_S3 with Lambda@Edge, and decided I’d like to have tools setup locally to troubleshoot such a script. This article suggests some of the steps I took.

brew unlink node
brew install node@6
brew link node@6
npm install lambda-tester mocha chai --save-dev

Here is the test file.

// test.js

const LambdaTester = require('lambda-tester');
const expect       = require('chai').expect;
const myHandler    = require('./handler').handler;


describe('handler', function() {
  it( 'test success', function() {
    return LambdaTester(myHandler)
      .event({"Records": [{"cf": {"response": {"headers": {}}}}]})
      .expectResult((result) => {
        expect(
          result['headers']['X-Content-Type-Options'][0]
        ).to.deep.equal(
          {
            'key'   : 'X-Content-Type-Options',
            'value' : 'nosniff'
          })
      })
  })
})

And here is a handler script that passes this test.

// handler.js

'use strict';

exports.handler = (event, context, callback) => {
  const response = event.Records[0].cf.response;

  var csp =
      "default-src 'none'; " +
      "img-src 'self';" +
      "script-src 'self'; " +
      "style-src 'self' 'unsafe-url';" +
      "object-src 'none'; " +
      "frame-ancestors 'none';"

  var xs = {
    'X-Content-Type-Options'  : 'nosniff',
    'X-Frame-Options'         : 'DENY',
    'X-XSS-Protection'        : '1; mode=block',
    'Referrer-Policy'         : 'same-origin',
    'Content-Security-Policy' : csp
  }

  for (var x in xs){
    response.headers[x] = [{
      key: x,
      value: xs[x]
    }];
  }

  callback(null, response);
};

Here are some links for further reading.