AWS Certified Security – Specialty — Question 61

A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:
-Content Security-Policy
-X-Frame-Options
-X-XSS-Protection
The Engineer does not have access to the source code of the legacy web application.
Which of the following approaches would meet this requirement?

Answer options

• A. Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
• B. Implement an AWS Lambda@Edge origin response function that inserts the required headers.
• C. Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
• D. Construct an AWS WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.

Correct answer: B

Explanation

The correct answer is B because using an AWS Lambda@Edge origin response function allows the Engineer to inject the required HTTP headers into the responses without needing access to the source code. Option A is incorrect since sending traffic to a black hole does not add security headers. Option C does not directly address the requirement of adding headers, and D is misleading as AWS WAF cannot modify response headers, only filter requests.