如何在 serverless.yml 中设置响应头？

Question

我有使用无服务器框架版本 1.25 的无服务器 API

出于安全原因，我想添加响应标头。请帮助我如何通过 serverless.yml 文件设置以下标题。出于安全原因，是否需要添加此标头？

• Content-Security-Policy：包括 default-src 'self'

• Strict-Transport-Security max-age=31536000；包括子域；预加载

• X-Content-Type-Options：nosniff

• X-XSS 保护：1

• 缓存控制：max-age=0；过期=-1 或过期：格林威治标准时间 1990 年 1 月 1 日星期五 00:00:00；无缓存，必须重新验证

下面是我的无服务器应用 serverless.yaml

service: myService
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
   getMyFunction:
     handler: handler.getMyFunction
     timeout: 30
     events:
      - http:
          method: get
          path: api/getMyFunction/v1
          integration: lambda
          cors: true
          authorizer:
            name: authorizerFunc
            identitySource: method.request.header.Token
            authorizationType: AWS_IAM

Answer 1

您可以使用Lambda Proxy Integration。根据文档，您需要创建一个函数，该函数将在有人访问您的 API 端点时运行。

举个例子：

module.exports.hello = function (event, context, callback) {
    console.log(event); // Contains incoming request data (e.g., query params, headers and more)

    const response = {
        statusCode: 200,
        headers: {
            "x-custom-header": "My Header Value"
        },
        body: JSON.stringify({ "message": "Hello World!" })
    };

    callback(null, response);
};

在你的 serverless.yml 中

functions:
 index:
   handler: handler.hello
   events:
     - http: GET hello

Answer 2

由于您使用 Lambda 集成，因此您必须将其放入您的 serverless.yml。

service: myService
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
   getMyFunction:
     handler: handler.getMyFunction
     timeout: 30
     events:
      - http:
          method: get
          path: api/getMyFunction/v1
          integration: lambda
          cors: true
          authorizer:
            name: authorizerFunc
            identitySource: method.request.header.Token
            authorizationType: AWS_IAM
          response:
            headers:
              Content-Security-Policy: "'Include default-src 'self''"
              Strict-Transport-Security: "'max-age=31536000; includeSubDomains; preload'"
              X-Content-Type-Options: "'nosniff'"
              X-XSS-Protection: "'1'"
              Cache-Control: "'max-age=0; Expires=-1 or Expires: Fri, 01 Jan 1990 00:00:00 GMT; no-cache, must-revalidate'"

参考：https://serverless.com/framework/docs/providers/aws/events/apigateway#custom-response-headers

Answer 3

service: myService 
provider:
  name: aws
  runtime: nodejs6.10
  stage: dev
  region: eu-west-1
  environment:
    REGION: ${self:provider.region}
    PROJECT_NAME: ${self:custom.projectName}
    SERVERLESS_STAGE: ${self:provider.stage}
    SERVERLESS_SERVICE: ${self:service}
    IP_ADDRESS: http://example.com
functions:
  getMyFunction:
   handler: handler.getMyFunction
   timeout: 30
   events:
    - http:
      method: get
      path: api/getMyFunction/v1
      integration: lambda
      cors: true
      authorizer:
        name: authorizerFunc
        identitySource: method.request.header.Token
        authorizationType: AWS_IAM
      response:
        headers:
          Content-Security-Policy: "'Include default-src 'self''"
          Strict-Transport-Security: "'max-age=31536000; includeSubDomains; preload'"
          X-Content-Type-Options: "'nosniff'"
          X-XSS-Protection: "'1'"
          Cache-Control: "'max-age=0; Expires=-1 or Expires: Fri, 01 Jan 1990 00:00:00 GMT; no-cache, must-revalidate'"