feat(csp): add CloudFront response headers policy with Content-Security-Policy

j4y · j4y · commit 83d546e39e5c · 2025-12-26T12:06:38.000-05:00
- introduce aws_cloudfront_response_headers_policy resource
- define CSP allowing required external scripts (Google Ads, CDNJS)
diff --git a/terraform/website/main.tf b/terraform/website/main.tf
@@ -90,6 +90,17 @@ resource "aws_s3_bucket_website_configuration" "bucket" {
   ])
 }
 
+resource "aws_cloudfront_response_headers_policy" "csp" {
+  name = "colorcop-csp-policy"
+
+  security_headers_config {
+    content_security_policy {
+      override = true
+      content_security_policy = "default-src 'self'; script-src 'self' 'unsafe-eval' https://pagead2.googlesyndication.com https://googleads.g.doubleclick.net https://cdnjs.cloudflare.com; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; img-src 'self' data: https://pagead2.googlesyndication.com https://googleads.g.doubleclick.net;"
+    }
+  }
+}
+
 resource "aws_cloudfront_distribution" "distribution" {
   aliases         = [local.www_domain, var.domain]
   comment         = "Cloudfront distribution for ${var.domain}"
