CSP is a technique designed to impair xss-attacks. That is, it is most useful in combination with serving hypermedia that relies on other resources being loaded with it. That is not exactly a scenario I would expect with an API. That is not to say you cannot use it. If there really is no interactive content in your responses, nothing could hold you from serving this header:

Content-Security-Policy: default-src 'none';

Going one step further, you could use CSP as some sort of makeshift Intrusion Detection System by setting report-uri in order to fetch incoming violation reports. That is well within the intended use but still a bit on the cheap.

In conclusion, it can theoretically improve the security of your API through little effort. Practically, the advantages may be slim to none. If you feel like it, there should be no harm in sending that header. You may gain more by e.g. suppressing MIME-type sniffing, though.

See also: The OWASP Secure Headers Project

Answer from DaSourcerer on Stack Overflow
🌐
AWS
docs.aws.amazon.com › amazon api gateway › developer guide › api gateway http apis › publish http apis for customers to invoke › security policy for http apis in api gateway
Security policy for HTTP APIs in API Gateway - Amazon API Gateway
API Gateway enforces a security policy of TLS_1_2 for all HTTP API endpoints.
🌐
AWS
docs.aws.amazon.com › amazon api gateway › developer guide › api gateway rest apis › develop rest apis in api gateway › security policies for rest apis in api gateway
Security policies for REST APIs in API Gateway - Amazon API Gateway
The SecurityPolicy_TLS13_1_3_2025_09 security policy accepts TLS 1.3 traffic and rejects TLS 1.2 and TLS 1.0 traffic. For TLS 1.3 traffic, the security policy accepts the following cipher suites: ... API Gateway does not accept any other cipher suites. For instance, the security policy would reject any TLS 1.3 traffic that uses the AES128-SHA cipher suite.
🌐
Zuplo
zuplo.com › zuplo learning center - articles on api development and best practices › api management › api security › implementing content security policy for api protection: a comprehensive guide
Implementing Content Security Policy for API Protection: A Comprehensive Guide | Zuplo Learning Center
March 6, 2025 - Content-Security-Policy: script-src 'sha256-{HASHED\_INLINE\_SCRIPT}' 'strict-dynamic'; object-src 'none'; base-uri 'none'; Hash-based CSP works well with static content but requires recalculation whenever scripts change. When integrating advanced CSP into API architectures: Implement CSP headers at the API gateway level for consistent policy application
🌐
Okta
support.okta.com › help › s › article › Enhanced-Content-Security-Policy-CSP-Headers-and-Issues-with-AWS-API-Gateway
Error Caused by Enhanced Content Security Policy (CSP ...
Loading · ×Sorry to interrupt · Refresh
🌐
AWS
docs.aws.amazon.com › amazon api gateway › developer guide › security in amazon api gateway › security best practices in amazon api gateway
Security best practices in Amazon API Gateway - Amazon API Gateway
Use IAM policies to implement least privilege access for creating, reading, updating, or deleting API Gateway APIs. To learn more, see Identity and access management for Amazon API Gateway. API Gateway offers several options to control access to APIs that you create. To learn more, see Control and manage access to REST APIs in API Gateway, Control and manage access to WebSocket APIs in API Gateway, and Control access to HTTP APIs with JWT authorizers in API Gateway.
🌐
Stack Overflow
stackoverflow.com › questions › 45630376 › shall-i-use-the-content-security-policy-http-header-for-a-backend-api
Shall I use the Content-Security-Policy HTTP header for a backend API? - Stack Overflow
Top answer
1 of 2
60

CSP is a technique designed to impair xss-attacks. That is, it is most useful in combination with serving hypermedia that relies on other resources being loaded with it. That is not exactly a scenario I would expect with an API. That is not to say you cannot use it. If there really is no interactive content in your responses, nothing could hold you from serving this header:

Content-Security-Policy: default-src 'none';

Going one step further, you could use CSP as some sort of makeshift Intrusion Detection System by setting report-uri in order to fetch incoming violation reports. That is well within the intended use but still a bit on the cheap.

In conclusion, it can theoretically improve the security of your API through little effort. Practically, the advantages may be slim to none. If you feel like it, there should be no harm in sending that header. You may gain more by e.g. suppressing MIME-type sniffing, though.

See also: The OWASP Secure Headers Project

2 of 2
2

You may need it. Please refer to https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers

For an API response, there is no requirement to be framed in any of those elements. Providing frame-ancestors 'none' prevents any domain from framing the response returned by the API call. This header protects against drag-and-drop style clickjacking attacks.

🌐
Saaras
saaras.io › blog › understanding-api-gateway-security-policy-best-practices-for-2025
Understanding API Gateway Security Policy: Best Practices for 2025
API Gateways should be protected by strong authentication and authorization policies. OAuth 2.0 and JSON Web Tokens (JWT) are two important standards. They help solve network security problems and improve mutual TLS authentication.
🌐
AWS
aws.amazon.com › blogs › compute › enhancing-api-security-with-amazon-api-gateway-tls-security-policies
Enhancing API security with Amazon API Gateway TLS security policies | Amazon Web Services
November 21, 2025 - A security policy in API Gateway is a predefined combination of a minimum TLS version and a curated set of cipher suites. When a client connects to your REST API or custom domain name, API Gateway uses the selected policy to determine which ...
🌐
AWS
docs.aws.amazon.com › amazon api gateway › developer guide › api gateway rest apis › publish rest apis for customers to invoke › custom domain name for public rest apis in api gateway › choose a security policy for your custom domain in api gateway
Choose a security policy for your custom domain in API Gateway - Amazon API Gateway
Security policies protect your APIs and custom domain names from network security problems such as tampering and eavesdropping between a client and server. API Gateway supports legacy security policies and enhanced security policies. TLS_1_0 and TLS_1_2 are legacy security policies.
Find elsewhere
🌐
Stack Overflow
stackoverflow.com › questions › 19825294 › is-it-possible-to-set-content-security-policy-headers-in-amazon-s3
Is it possible to set Content-Security-Policy headers in Amazon S3? - Stack Overflow
Top answer
1 of 5
10

I'm having the same problem (using S3/CloudFront) and it appears there is currently no way to set this up easily.

S3 has a whitelist of the headers permitted, and Content-Security-Policy is not on it. Whilst it is true you can use the prefixed x-amz-meta-Content-Security-Policy, this is unhelpful as there is no browser support for it.

There are two options I can see.

1) you can serve the html content from a webserver on an EC2 instance and set that up as another CloudFront origin. Not really a great solution.

2) include the CSP as a meta tag within your html document:

    <!doctype html>
    <html>
      <head>
        <meta http-equiv="Content-Security-Policy" content="default-src http://*.foobar.com 'self'">
...

This option is not as widely supported by browsers, but it appears to work with both Webkit and Firefox, so the current Chrome, Firefox, Safari (and IOS 7 Safari) seem to support it.

I chose 2 as it was the simpler/cheaper/faster solution and I hope AWS will add the CSP header in the future.

2 of 5
6

S3/CloudFront takes any headers that the origin set and forward those to the client, but you can't set custom headers on you response directly.

You can use Lambda@Edge function that can inject security headers through CloudFront.

Here is how the process works: (reference aws blog)

  • Viewer navigates to website.
  • Before CloudFront serves content from the cache it will trigger any Lambda function associated with the Viewer Request trigger for that behavior.
  • CloudFront serves content from the cache if available, otherwise it goes to step 4.
  • Only after CloudFront cache ‘Miss’, Origin Request trigger is fired for that behavior.
  • S3 Origin returns content.
  • After content is returned from S3 but before being cached in CloudFront, Origin Response trigger is fired.
  • After content is cached in CloudFront, Viewer Response trigger is fired and is the final step before viewer receives content.
  • Viewer receives content.

Below is the blog from aws on how to do this step by step.

https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/

🌐
Solo.io
solo.io › topics › api-gateway › api-gateway-security
API gateway security: 7 best practices | Solo.io
An effective API gateway should have a bottom-up design to guarantee strong security. ... Act as a proxy point to the control APIs inline. Authenticate the identity of all API requests by validating credentials, ID tokens, and more authentication methods. Determine the traffic allowed to reach the back end via the API. Use rate-limiting and throttling to measure traffic passing through each API. Enforce security governance by implementing runtime policies and logging all API transactions.
🌐
AWS re:Post
repost.aws › questions › QU-4cYPZUVQdG4J3FAqkv21Q › handel-custom-header-in-aws-api-gateway
Handel custom header in AWS API Gateway ? | AWS re:Post
Top answer
1 of 2
1
It depends on your requirements and whether you expect the headers to be sent as part of the client request or need to add the headers before the request hits the API Gateway. If you need to block client requests if some headers are missing, you can associate a WAF ACL with the API Gateway and define rules to block requests without mandatory headers Look at these two for guidance https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-http-requests-no-user-agent/ If the requirement is that the headers need to be added to the request before the request reaches the API Gateway even if the client did not send the headers, you can do so using Lambda@Edge with a Cloudfront distribution in front of your API Gateway. Look at these for guidance https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/ (this example shows response headers but you can use similar concepts to the request headers with some changes) https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works-tutorial.html Some examples of Lambda@Edge functions - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html
2 of 2
0
Lambda@Edge functions with CloudFront work fine for my scenario. I have added up one additional thing that may more the easiest way to remove security headers vulnerabilities. I have created and deployed the Express app to Lambda By default, Express.js sends the X-Powered-By response header banner. This can be disabled using the app.disable() method: ``` app.disable('x-powered-by') ``` and also apply headers on the express app ``` app.use(function(req, res, next) { res.header('Strict-Transport-Security', `max-age=63072000`); res.header('Access-Control-Allow-Origin', `null`); res.header('Referrer-Policy', `no-referrer`); res.header('Permissions-Policy', `microphone 'none'; geolocation 'none'`); res.header('x-frame-options', `DENY`); res.header('Content-type', `application/json; charset=UTF-8`); res.header('Cache-Control', `no-store`); res.header('X-Content-Type-Options', `nosniff`); return next(); }); ```
🌐
AWS
docs.aws.amazon.com › amazon api gateway › developer guide › api gateway rest apis › develop rest apis in api gateway › control and manage access to rest apis in api gateway › control access to a rest api with api gateway resource policies
Control access to a REST API with API Gateway resource policies - Amazon API Gateway
Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM role or group) can invoke the API. You can use API Gateway resource policies to allow your API to be securely invoked by:
🌐
AWSstatic
d1.awsstatic.com › whitepapers › api-gateway-security.pdf pdf
Archived AWS Whitepaper Security Overview of Amazon API Gateway
execution role with a trust policy, where API Gateway is the Principal, and a permissions policy to · allow the action required for the AWS service you are integrating with. ... Use HTTP integrations to integrate your API with HTTP/S services with public endpoints. You can · create API Gateway-generated client certificates to secure requests made to HTTP endpoints.
🌐
AWS
docs.aws.amazon.com › amazon api gateway › developer guide › api gateway rest apis › develop rest apis in api gateway › security policies for rest apis in api gateway › supported security policies
Supported security policies - Amazon API Gateway
You can update the security policy for your API or custom domain name at any time. Policies that contain FIPS in the title are compatible with the Federal Information Processing Standard (FIPS), which is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. To learn more, see Federal Information Processing Standard (FIPS) 140 ... All FIPS policies leverage the AWS-LC FIPS validated cryptographic module.
🌐
CloudThat
cloudthat.com › home › blogs › enhancing api security with amazon api gateway resource policies
Enhancing API Security with Amazon API Gateway Resource Policies
October 14, 2025 - Secure internal APIs Use resource policies to restrict API access to internal services communicating over private endpoints. Control access by environment Limit access to development or staging APIs by source IP or VPC endpoint. ... You create a JSON document specifying Effect, Principal, Action, and Condition. For example, to allow access only from a specific IP range: ... Open the Amazon API Gateway console.
🌐
SEEBURGER AG
blog.seeburger.com › api-gateway-security
API Gateway Security
March 27, 2025 - Essentially, the gateway acts as a “gatekeeper,” monitoring each request, verifying identities, and managing access based on specified policies. API gateways also help optimize performance by controlling how many requests reach the backend systems, protecting them from overload or malicious attacks. Modern API gateways, such as SEEBURGER’s, offer transparency into API traffic, meeting both business and security requirements and providing a unified view of API-related activities.
🌐
AWS
docs.aws.amazon.com › amazon api gateway › developer guide › security in amazon api gateway
Security in Amazon API Gateway - Amazon API Gateway
Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using API Gateway.
🌐
AWS
docs.aws.amazon.com › amazon cloudfront › developer guide › code examples for cloudfront using aws sdks › cloudfront functions examples for cloudfront › add http security headers to a cloudfront functions viewer response event
Add HTTP security headers to a CloudFront Functions viewer response ...
async function handler(event) { var response = event.response; var headers = response.headers; // Set HTTP security headers // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; headers['referrer-policy'] = {value: 'same-origin'}; // Return the response to viewers return response; }
🌐
Amazon Web Services
aws.amazon.com › networking and content delivery › amazon api gateway › faqs
Amazon API Gateway FAQs | API Management | Amazon Web Services
1 week ago - API Gateway helps you define plans that meter and restrict third-party developer access to your APIs. You can define a set of plans, configure throttling, and quota limits on a per API key basis. API Gateway automatically meters traffic to your APIs and lets you extract utilization data for ...