milliHQ / terraform-aws-next-js

Terraform module for building and deploying Next.js apps to AWS. Supports SSR (Lambda), Static (S3) and API (Lambda) pages.
https://registry.terraform.io/modules/milliHQ/next-js/aws
Apache License 2.0
1.47k stars 151 forks source link

Headers specified in next.config.js not being included in response #360

Open cammanderson opened 2 years ago

cammanderson commented 2 years ago

Hi!

We have configured headers (such as "Content-Security-Policy") on to our paths, and noticed that they are not being included in Cloudfront responses.

In our use-case we have a public website component and an app, as well as a need for certain paths to have differing policies. The specific headers are those documented on NextJS site.

From what I can ascertain, my options are:

Is this a known limitation or am I missing an input option? I could see another issue raised regarding custom headers, and from what I could understand this is not yet a feature. Would it be difficult adjustment to add some basic support? If not, is there a general direction that can be offered of where to add it in?

Thanks, really appreciate the package.

ofhouse commented 2 years ago

Hey Cameron,

yes this unfortunately a known limitation with the module (See #9).

It happens because our router (that runs as Lambda@Edge) service only runs on origin-request CloudFront event. The custom headers from the next.config.js need to be added to response, but this event is currently not covered by the router.

A possible solution for adding static headers would be to use the With existing CloudFront template (which allows to modify the CloudFront distribution) and apply a Response Headers Policy to it.