Adding strict transport security header to AWS ELB 5XX pages

Question

I have application running on EC2 behind a Application ELB with all security HTTP headers set at server level. I shutdown the EC2 during non-working hours and turn them back on during working hours.

Our security team scans the application during non-working hours and it is returning as HSTS header not set with response 503. The 503 is being returned by ELB as EC2 is stopped.

We are being asked to add HSTS for all 5XX and 4XX pages. This needs to be handled at ELB. Is there a way to apply custom headers at ELB level? Or can we handle this using any other service?

Answer 1

HSTS stands for HTTP Strict Transport Security. It's a security mechanism (policy) implemented through HTTP headers instructing web browsers to communicate only with a website over secure HTTPS connections. So basically it is a policy that is controlled by the backend but not the load balancer. In short, AWS does not do it for us as it is a complicated solution.

you can refer to the following solutions and choose the right one for you -

1. Use CloudFront Service - If you are using ALB, then the alternative is to use Cloudfront in front of ALB.

For info refer - https://repost.aws/knowledge-center/cloudfront-http-security-headers

2 . Enabling HSTS on the backend instance - Have HSTS pre-configured in the backend instances so that load balancer can just access it via https.

• Configure a listener to listen on https.
• Then add a redirection rule to forward traffic to backend over http.
• Then the backend will send the response including HSTS header to the load balancer.
• So then the LB will send the same response and header over https to the browser.