🔥 3-day streak
AWS Certified Security - Specialty6 / 157
Question 6 of 157
A security team operates a public web application served through Amazon CloudFront with an Application Load Balancer origin. A recent penetration test flagged that the application does not enforce HTTP Strict Transport Security (HSTS) and is missing X-Content-Type-Options and X-Frame-Options headers on responses. The development team is busy and cannot modify the application code for several sprints. The team needs a way to consistently add these security headers to all responses at the edge with minimal operational effort. Which approach best meets this requirement?
Reviewed for accuracy · Report an issueNext question