feat(cloudfront): reportOnly flag on ResponseHeadersContentSecurityPolicy

packages/aws-cdk-lib/aws-cloudfront/README.md

@@ -328,7 +328,7 @@ const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'Resp
     ],
   },
   securityHeadersBehavior: {
-    contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
+    contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', reportOnly: true, override: true },
     contentTypeOptions: { override: true },
     frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
     referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },

packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts

@@ -114,13 +114,40 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
       maxLength: 128,
     });
 
+    let securityHeadersBehavior = props.securityHeadersBehavior;
+    let customHeadersBehavior = props.customHeadersBehavior;
+
+    if (securityHeadersBehavior?.contentSecurityPolicy?.reportOnly) {
+      const reportOnlyCSPHeader = {
+        header: 'Content-Security-Policy-Report-Only',
+        value: securityHeadersBehavior.contentSecurityPolicy.contentSecurityPolicy,
+        override: true,
+      };
+      securityHeadersBehavior = {
+        ...securityHeadersBehavior,
+        contentSecurityPolicy: undefined,
+      };
+
+      if (!customHeadersBehavior) {
+        customHeadersBehavior = {
+          customHeaders: [],
+        };
+      }
+
+      const existingReportOnlyCSPHeader = customHeadersBehavior.customHeaders.findIndex(ch => ch.header === 'Content-Security-Policy-Report-Only');
+      if (existingReportOnlyCSPHeader !== -1) {
+        customHeadersBehavior.customHeaders.splice(existingReportOnlyCSPHeader, 1);
+      }
+      customHeadersBehavior.customHeaders.push(reportOnlyCSPHeader);
+    }
+
     const resource = new CfnResponseHeadersPolicy(this, 'Resource', {
       responseHeadersPolicyConfig: {
         name: responseHeadersPolicyName,
         comment: props.comment,
         corsConfig: props.corsBehavior ? this._renderCorsConfig(props.corsBehavior) : undefined,
-        customHeadersConfig: props.customHeadersBehavior ? this._renderCustomHeadersConfig(props.customHeadersBehavior) : undefined,
-        securityHeadersConfig: props.securityHeadersBehavior ? this._renderSecurityHeadersConfig(props.securityHeadersBehavior) : undefined,
+        customHeadersConfig: customHeadersBehavior ? this._renderCustomHeadersConfig(customHeadersBehavior) : undefined,
+        securityHeadersConfig: securityHeadersBehavior ? this._renderSecurityHeadersConfig(securityHeadersBehavior) : undefined,
         removeHeadersConfig: props.removeHeaders ? this._renderRemoveHeadersConfig(props.removeHeaders) : undefined,
         serverTimingHeadersConfig: props.serverTimingSamplingRate ? this._renderServerTimingHeadersConfig(props.serverTimingSamplingRate) : undefined,
       },
@@ -156,7 +183,7 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP
       strictTransportSecurity: behavior.strictTransportSecurity ? {
         ...behavior.strictTransportSecurity,
         accessControlMaxAgeSec: behavior.strictTransportSecurity.accessControlMaxAge.toSeconds(),
-      }: undefined,
+      } : undefined,
       xssProtection: behavior.xssProtection,
     };
   }
@@ -337,6 +364,13 @@ export interface ResponseHeadersContentSecurityPolicy {
    * received from the origin with the one specified in this response headers policy.
    */
   readonly override: boolean;
+
+  /**
+   * A Boolean that determines whether CloudFront includes the -Report-Only suffix in the Content-Security-Policy HTTP response header.
+   *
+   * @default - not report only
+   */
+  readonly reportOnly?: boolean;
 }
 
 /**

packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts

@@ -180,4 +180,57 @@ describe('ResponseHeadersPolicy', () => {
       },
     });
   });
+
+  test('it respects CSP `reportOnly` flag by mapping to custom header', () => {
+    new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+      securityHeadersBehavior: {
+        contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', reportOnly: true, override: true },
+      },
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::ResponseHeadersPolicy', {
+      ResponseHeadersPolicyConfig: {
+        CustomHeadersConfig: {
+          Items: [
+            {
+              Header: 'Content-Security-Policy-Report-Only',
+              Value: 'default-src https:;',
+              Override: true,
+            },
+          ],
+        },
+      },
+    });
+  });
+
+  test('securityHeadersBehavior.contentSecurityPolicy takes precedence with `reportOnly`', () => {
+    new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+      customHeadersBehavior: {
+        customHeaders: [
+          {
+            header: 'Content-Security-Policy-Report-Only',
+            value: 'default-src self;',
+            override: true,
+          },
+        ],
+      },
+      securityHeadersBehavior: {
+        contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', reportOnly: true, override: true },
+      },
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::ResponseHeadersPolicy', {
+      ResponseHeadersPolicyConfig: {
+        CustomHeadersConfig: {
+          Items: [
+            {
+              Header: 'Content-Security-Policy-Report-Only',
+              Value: 'default-src https:;',
+              Override: true,
+            },
+          ],
+        },
+      },
+    });
+  });
 });