View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Can I add security headers to object storage objects?
Log in to Ask a Question

Can I add security headers to object storage objects?

I am using object storage for a static site. I am able to add a Cache-Control header to objects/pages using s3cmd, but I am unable to add other security-related headers such as Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. I have tried using commands such as this one:

s3cmd modify --add-header=Content-Security-Policy:upgrade-insecure-requests s3://my-bucket/object

The command doesn't throw an error but I don't see the header when I view the page. It it even possible to add such headers to objects?

3 Replies

Linode Staff

Based on this older github post, I don't believe the headers you are trying to add are supported by S3. They confirm that the Cache-Control header is supported, however, x-frame-options is not.

The additional headers likely need to be set using another service such as Cloudflare. Keep in mind, if you are using Cloudflare with your Object Storage Bucket, you will need to take some special considerations when configuring your DNS records.

@tlambert, thank you very much for your quick response. I originally tried using Cloudflare's DNS with my object storage site but switched to Linode DNS when I found that it was not possible to use Cloudflare's network: a static site would only work when using Cloudflare's "DNS only" option. Adding headers may be a reason to switch back. In the end, I may also opt for just using a traditional web server as hosting static sites in buckets sometimes feel like a bit of a hack, although attractive in many ways.

I've confirmed that I can add headers to object storage objects using a Cloudflare worker. However, this requires the DNS to use Cloudflare's network. A subdomain using Cloudflare's network pointed at an object storage bucket does not respect the bucket's website settings, i.e. index and 404 pages are not recognized (I made sure to use the relevant subdomain as the name of the bucket). And so unless one is willing to forego index and 404 pages (and can tolerate visitors seeing XML for non-existent pages), there doesn't appear to be a way to add security-related headers to object storage website objects.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct