I'm having the same problem (using S3/CloudFront) and it appears there is currently no way to set this up easily.

S3 has a whitelist of the headers permitted, and Content-Security-Policy is not on it. Whilst it is true you can use the prefixed x-amz-meta-Content-Security-Policy, this is unhelpful as there is no browser support for it.

There are two options I can see.

1) you can serve the html content from a webserver on an EC2 instance and set that up as another CloudFront origin. Not really a great solution.

2) include the CSP as a meta tag within your html document:

    <!doctype html>
    <html>
      <head>
        <meta http-equiv="Content-Security-Policy" content="default-src http://*.foobar.com 'self'">
...

This option is not as widely supported by browsers, but it appears to work with both Webkit and Firefox, so the current Chrome, Firefox, Safari (and IOS 7 Safari) seem to support it.

I chose 2 as it was the simpler/cheaper/faster solution and I hope AWS will add the CSP header in the future.

Answer from Ravenscar on Stack Overflow
🌐
AWS
docs.aws.amazon.com › aws cloudformation › template reference › amazon cloudfront › aws::cloudfront::responseheaderspolicy › aws::cloudfront::responseheaderspolicy contentsecuritypolicy
AWS::CloudFront::ResponseHeadersPolicy ContentSecurityPolicy - AWS CloudFormation
A Boolean that determines whether CloudFront overrides the Content-Security-Policy HTTP response header received from the origin with the one specified in this response headers policy.
🌐
Medium
pushkar-sre.medium.com › implementing-cors-policies-and-content-security-policy-with-aws-cloudfront-a-comprehensive-guide-9a4c588db56c
Implementing CORS Policies and Content-Security-Policy with AWS CloudFront: A Comprehensive Guide | by Pushkar Joshi | Medium
August 5, 2024 - Content Security Policy (CSP) is a security mechanism that helps prevent various attacks like Cross-Site Scripting (XSS) and data injection attacks by specifying which sources of content are allowed to be loaded.
Discussions
Is it possible to set Content-Security-Policy headers in Amazon S3? - Stack Overflow
I'm trying to set a Content-Security-Policy header for an html file I'm serving via s3/cloudfront. I'm using the web-based AWS console. Whenever I try to add the header: it doesn't seem to respect ... More on stackoverflow.com
🌐 stackoverflow.com
Is Content Security Policy (CSP) available for AWS ALB or WAF?
I have done a security vulnerability scan against my hosted site behind ALB with WAF integration. The scan reported the following: Content Security Policy (CSP) Missing csp_no_policy_v2 Recommend... More on repost.aws
🌐 repost.aws
1
0
March 27, 2024
s3 static site w/cloudfront: CSP problems
You've identified the problem correctly and it's not directly related to S3 static sites. CSP is an important security feature regardless of hosting method that is overlooked or ignored all to often. The template you used is applying some of the best practices for front-end security via security headers. You don't get the errors on lightsail because you're not applying the same headers, which you could do in the app itself or via something like apache, ngnix, caddy, traefik, etc. If you don't care about the CSP violations then just remove the headers in the CloudFront template. If you do care though then you need to learn about CSP and how to use hash or nonces in your src elements. More on reddit.com
🌐 r/aws
2
1
January 5, 2024
ERROR - Content Security Policy directive - Help!
Hi All, Getting this error on a bunch of embedded customer sites this morning… does anyone know what it means? Everything was working perfectly yesterday :frowning: Refused to frame 'https://us-east-2.quicksight.aws.am… More on community.amazonquicksight.com
🌐 community.amazonquicksight.com
1
0
October 18, 2022
🌐
AWS
docs.aws.amazon.com › aws app studio › user guide › builder documentation › viewing or updating your app's content security settings
Viewing or updating your app's content security settings - AWS App Studio
The content security settings are used to configure Content Security Policy (CSP) headers in your application. CSP is a security standard that helps to secure your app from cross-site scripting (XSS), clickjacking, and other code injection attacks.
🌐
Stack Overflow
stackoverflow.com › questions › 19825294 › is-it-possible-to-set-content-security-policy-headers-in-amazon-s3
Is it possible to set Content-Security-Policy headers in Amazon S3? - Stack Overflow
Top answer
1 of 5
10

I'm having the same problem (using S3/CloudFront) and it appears there is currently no way to set this up easily.

S3 has a whitelist of the headers permitted, and Content-Security-Policy is not on it. Whilst it is true you can use the prefixed x-amz-meta-Content-Security-Policy, this is unhelpful as there is no browser support for it.

There are two options I can see.

1) you can serve the html content from a webserver on an EC2 instance and set that up as another CloudFront origin. Not really a great solution.

2) include the CSP as a meta tag within your html document:

    <!doctype html>
    <html>
      <head>
        <meta http-equiv="Content-Security-Policy" content="default-src http://*.foobar.com 'self'">
...

This option is not as widely supported by browsers, but it appears to work with both Webkit and Firefox, so the current Chrome, Firefox, Safari (and IOS 7 Safari) seem to support it.

I chose 2 as it was the simpler/cheaper/faster solution and I hope AWS will add the CSP header in the future.

2 of 5
6

S3/CloudFront takes any headers that the origin set and forward those to the client, but you can't set custom headers on you response directly.

You can use Lambda@Edge function that can inject security headers through CloudFront.

Here is how the process works: (reference aws blog)

  • Viewer navigates to website.
  • Before CloudFront serves content from the cache it will trigger any Lambda function associated with the Viewer Request trigger for that behavior.
  • CloudFront serves content from the cache if available, otherwise it goes to step 4.
  • Only after CloudFront cache ‘Miss’, Origin Request trigger is fired for that behavior.
  • S3 Origin returns content.
  • After content is returned from S3 but before being cached in CloudFront, Origin Response trigger is fired.
  • After content is cached in CloudFront, Viewer Response trigger is fired and is the final step before viewer receives content.
  • Viewer receives content.

Below is the blog from aws on how to do this step by step.

https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/

🌐
AWS
docs.aws.amazon.com › amazon cloudfront › developer guide › add or remove http headers in cloudfront responses with a policy › understand response headers policies
Understand response headers policies - Amazon CloudFront
You can use the security headers settings to add and configure several security-related HTTP response headers in a response headers policy. This list describes how you can specify settings and valid values in a response headers policy. For more information about each of these headers and how they're used in real-world HTTP responses, see the links to the MDN Web Docs. ... Specifies the content security policy directives that CloudFront uses as values for the Content-Security-Policy response header.
🌐
AWS
docs.aws.amazon.com › amazon ivs › low-latency streaming user guide › ivs player sdk › ivs player sdk: web guide › working with content security policy
Working With Content Security Policy - Amazon IVS
The Amazon IVS Web player SDK is configured to work on pages that use Content Security Policy (CSP). A few key CSP directives must be in place. Here, we describe a minimal set of directives that are necessary. Additional directives and sources are likely necessary, depending on your specific setup.
🌐
AWS re:Post
repost.aws › questions › QUOMG1TQF_QMe24Sxsv5OEKA › is-content-security-policy-csp-available-for-aws-alb-or-waf
Is Content Security Policy (CSP) available for AWS ALB or WAF? | AWS re:Post
Top answer
1 of 1
1
Both ALB and WAF are unable to add CSP HTTP header. You can configure your host web server to include the necessary CSP header. Alternatively, you can put Amazon CloudFront in front of your ALB, and use either a managed or custom Response Headers Policy (screen shot below) !Enter image description here
🌐
Simply Explained
simplyexplained.com › blog › implement content security policy with aws s3 and cloudfront
Implement Content Security Policy with AWS S3 and CloudFront | Simply Explained
May 1, 2018 - If we try to load something via HTTP, the browser will automatically upgrade the request to a secure HTTPS connection. And finally, we have report-uri which tells the browser to log violations of your policy to a service of your choosing. This is quite important, more on that later! After writing your CSP, add them to your HTTP headers like so: headers['content-security-policy'] = [{ key: 'Content-Security-Policy', value: "default-src 'self'; connect-src links.services.disqus.com www.google-analytics.com googleads.g.doubleclick.net static.doubleclick.net savjee.report-uri.com c.disquscdn.com d
Find elsewhere
🌐
CodeBurst
codeburst.io › content-security-policy-with-amazon-cloudfront-part-1-5505feeaa75
Content Security Policy with Amazon CloudFront: Part 1 | by John Tucker | codeburst
December 8, 2018 - Content Security Policy with Amazon CloudFront: Part 1 Exploring Content Security Policy (CSP) issues when deploying a React web application using Amazon CloudFront. A seasoned colleague of mine who …
🌐
AWS
docs.aws.amazon.com › amazon cloudfront › developer guide › code examples for cloudfront using aws sdks › cloudfront functions examples for cloudfront › add http security headers to a cloudfront functions viewer response event
Add HTTP security headers to a CloudFront Functions viewer response event - Amazon CloudFront
async function handler(event) { var response = event.response; var headers = response.headers; // Set HTTP security headers // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; headers['referrer-policy'] = {value: 'same-origin'}; // Return the response to viewers return response; } For a complete list of AWS SDK developer guides and code examples, see Using CloudFront with an AWS SDK.
🌐
AWS re:Post
repost.aws › knowledge-center › cloudfront-http-security-headers
Add HTTP security headers to CloudFront responses | AWS re:Post
June 20, 2025 - Or, choose the custom policy that you created. Choose Save changes. See the following example of a CloudFront response with HTTP security response headers: curl -I https://dxxxxxxxbai33q.cloudfront.net HTTP/2 200 content-type: text/html content-length: 9850 vary: Accept-Encoding date: xxxxxxxxx last-modified: xxxxxxx etag: "c59c5ef71f3350489xxxxxxxxxx" x-amz-server-side-encryption: AES256 cache-control: no-store, no-cache, private x-amz-version-id: null accept-ranges: bytes server: AmazonS3 x-xss-protection: 1; mode=block x-frame-options: SAMEORIGIN referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff strict-transport-security: max-age=31536000 x-cache: Miss from cloudfront via: 1.1 12142717248e0e7148a5c1a9151ab918.cloudfront.net (CloudFront) x-amz-cf-pop: BOS50-C3 x-amz-cf-id: nHNANTZYdkQkE5BmsqlisPTiodFhVCK-Sf9Zp4iJzNs04eWi1_hEig==
🌐
Reddit
reddit.com › r/serverless › the ultimate guide to content security policy (csp)
r/serverless on Reddit: The Ultimate Guide to Content Security Policy (CSP)
August 25, 2023 - Throughout this ebook, you will learn what Content Security Policy (CSP) is, how to configure CSP, what it can do for you, and how you use CSP effectively in modern applications.
🌐
tecracer
tecracer.com › blog › 2024 › 08 › enhancing-cloudfront-security-with-response-headers.html
Enhancing CloudFront Security with Response Headers | tecRacer Amazon AWS Blog
August 30, 2024 - Security headers are HTTP headers sent by the server to the browser, instructing the browser on how to handle content securely. Properly configuring these headers helps defend against vulnerabilities like cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks, ensuring a safer browsing experience for users. To implement a custom policy for serving headers and connect it to your CloudFront distribution, follow these steps: Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/.
🌐
Reddit
reddit.com › r/aws › s3 static site w/cloudfront: csp problems
r/aws on Reddit: s3 static site w/cloudfront: CSP problems
January 5, 2024 -

I have been following an example from the cloudfront docs for setting up an s3 static site that uses cloudfront.

It works with the example content. But there's some problems when I upload my own static site content.

Basically, I have a static site generated by a tool called "quarto". It works if I deploy to a regular apache web server. But when I deploy the same content to s3+cloudfront, I see a bunch of CSP-related errors in the javascript console.

Visually, some fonts fall back to default values and also I see much of the javascript functionality doesn't work.

The types of errors I see are like this (it happens to be for math typesetting stuff, katex): 

whatever-path/:1 Refused to load the script 'https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

I get 17 of them, all different, but all naming "Content Security Policy".

My very limited understanding is that is happening because I need to "whitelist" the hyperlinks of javascript libraries from other domains, for example, the one above: https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.js

I see in the cloudfront console, under policies, there's a bunch of stuff related to origin request and response headers. It mentions CORS, which appears to be the same (or adjacent) concept to CSP. I haven't changed this from the default. I notice the example CF stack added some "security headers". Is this the place where I would need to make changes?

Is there a practical, straightforward approach for dealing with this? Or do I need to read and understand all aspects of website security before even attempting an s3 static site?

I should add that if I deploy the exact same static site to a lightsail instance I spun up that runs apache, it all works fine. The problem appears with s3+cloudfront.

Top answer
1 of 1
3
You've identified the problem correctly and it's not directly related to S3 static sites. CSP is an important security feature regardless of hosting method that is overlooked or ignored all to often. The template you used is applying some of the best practices for front-end security via security headers. You don't get the errors on lightsail because you're not applying the same headers, which you could do in the app itself or via something like apache, ngnix, caddy, traefik, etc. If you don't care about the CSP violations then just remove the headers in the CloudFront template. If you do care though then you need to learn about CSP and how to use hash or nonces in your src elements.
🌐
Smejri
blog.smejri.link › aws-cloudfront-content-security-policy
Content-Security-Policy Issue with Google Fonts API | AWS CloudFront
May 30, 2023 - Content-Security-Policy (CSP) is an important security mechanism that helps protect websites from various types of attacks, including cross-site scripting (XSS) and data injection.
🌐
Prisma Cloud
docs.prismacloud.io › en › enterprise-edition › policy-reference › aws-policies › aws-networking-policies › bc-aws-networking-65
AWS CloudFront distribution does not have a strict security ...
June 11, 2025 - Prisma Cloud Application Security offers a comprehensive scanning mechanism for detecting potential security issues that may arise in various aspects of software development. This documentation ...
🌐
Amazon QuickSight
community.amazonquicksight.com › q&a
ERROR - Content Security Policy directive - Help! - Q&A - Amazon Quick Suite Community
Top answer
1 of 1
3
Hi Daniel, As Enrique recommended please review your security policies for application website, to see if there is no such policy applied to block content from Quick Sight (https://us-east-2.quicksight.aws.amazon.com/) you can allow-list your application domain to Quick Sight using Quick Sight A…
🌐
GitHub
github.com › aws › aws-cdk › issues › 29006
`cloudfront`: Support `Content-Security-Policy-Report-Only` header · Issue #29006 · aws/aws-cdk
February 6, 2024 - The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to ...
Published   Feb 06, 2024
🌐
AWS
docs.aws.amazon.com › aws waf › developer guide › aws waf › intelligent threat mitigation in aws waf › client application integrations in aws waf › aws waf javascript integrations › using the javascript api with content security policies
Using the JavaScript API with content security policies - AWS WAF, AWS Firewall Manager, AWS Shield Advanced, and AWS Shield network security director
October 1, 2025 - This section provides an example configuration to allowlist the AWS WAF apex domain. If you apply content security policies (CSP) to your resources, for your JavaScript implementation to work, you need to allowlist the AWS WAF apex domain awswaf.com.
🌐
AWS
docs.aws.amazon.com › amazon cloudfront › developer guide › code examples for cloudfront using aws sdks › cloudfront functions examples for cloudfront › add http security headers to a cloudfront functions viewer response event
Add security headers to the response - Amazon CloudFront
September 16, 2022 - async function handler(event) { var response = event.response; var headers = response.headers; // Set HTTP security headers // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; headers['referrer-policy'] = {value: 'same-origin'}; // Return the response to viewers return response; } For a complete list of AWS SDK developer guides and code examples, see Using CloudFront with an AWS SDK.
Related queries
s3 content security policy
content-security-policy multiple values
content security policy aws template
aws alb content security policy
content security policy aws example
aws security headers policy
content-security-policy aws cloudfront
api gateway content security policy