Skip to content

Files

Latest commit

finnhollandfinnholland
updated readme for geoip and removed set-cookie
May 1, 2025
ab7dcc8 · May 1, 2025

History

History

header-change-detection

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
docs
docs
Jan 22, 2025
lib
lib
May 1, 2025
.eslintrc.json
.eslintrc.json
Jan 22, 2025
README.md
README.md
May 1, 2025
index.ts
index.ts
Jan 24, 2025
jest.config.ts
jest.config.ts
Jan 23, 2025
package.json
package.json
Mar 13, 2025
project.json
project.json
Mar 20, 2025
tsconfig.app.json
tsconfig.app.json
Mar 20, 2025
tsconfig.json
tsconfig.json
Jan 22, 2025
tsconfig.spec.json
tsconfig.spec.json
Jan 22, 2025

README.md

Aligent Header Change Detection Service

Overview

Creates a Lambda function that periodically scans security headers and sends the results to SNS.

Diagram

diagram

This service aims to comply with PCI DSS to cover the requirements outlined by section 11.6.1.

11.6.1: A change- and tamper-detection mechanism is deployed as follows:

  • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
  • The mechanism is configured to evaluate the received HTTP headers and payment pages.
  • The mechanism functions are performed as follows:
    • At least weekly OR
    • Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1)

Default config

By default, the following headers are monitored:

  • Content-Security-Policy
  • Content-Security-Policy-Report-Only
  • Reporting-Endpoints
  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Resource-Policy
  • Referrer-Policy
  • Permission-Policy
  • Cache-Control

Usage

To include this in your CDK stack, add the following:

// Import required packages
import { SnsTopic } from "aws-cdk-lib/aws-events-targets";
import { Topic } from "aws-cdk-lib/aws-sns";
import { HeaderChangeDetection } from "@aligent/cdk-header-change-detection";

// Create a new SNS topic
const topic = new Topic(this, "Topic");
const snsTopic = new SnsTopic(topic);

// Pass the required props
new HeaderChangeDetection(this, "HeaderChangeDetection", { snsTopic });

Local development

NPM link can be used to develop the module locally.

  1. Pull this repository locally
  2. cd into this repository
  3. run npm link
  4. cd into the downstream repo (target project, etc) and run npm link '@aligent/cdk-header-change-detection' The downstream repository should now include a symlink to this module. Allowing local changes to be tested before pushing. You may want to update the version notation of the package in the downstream repository's package.json.