Skip to content

SMG-1185: Added CORS and NoIndexNoFollow Response Header Policies #1568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
porhkz merged 11 commits into from
Dec 4, 2025
Merged

SMG-1185: Added CORS and NoIndexNoFollow Response Header Policies #1568

porhkz merged 11 commits into from
Dec 4, 2025
+454 −2

Conversation

@porhkz
Copy link
Contributor

@porhkz porhkz commented Nov 27, 2025

Description of the proposed changes

  • corsAllowOrigins - Configure CORS Access-Control-Allow-Origin headers
    • Automatically applied to static file behaviors (*.js, *.css, etc.)
    • Automatically applied to remapPaths and remapBackendPaths
    • Applied to default behavior (combined with NoIndexNoFollow when applicable)
  • indexable (default: true) - Control search engine indexing
    • When false, adds x-robots-tag: noindex,nofollow header to default behavior
    • Combines with CORS configuration when both are set
  • corsResponseHeadersPolicy - Exposed as public property for custom downstream use

Screenshots (if applicable)
Before

export class StaticHostingStack extends Stack {
...
    const responseHeadersPolicies: ResponseHeaderMappings = {};
    responseHeadersPolicies["additionalBehaviorResponsePolicy"] = {};

    // Create CORS policy if corsAllowOrigin is specified
    let customSimpleCORSPolicy: ResponseHeadersPolicy | undefined;

    if (props.corsAllowOrigin) {
      const corsBehavior: ResponseHeadersCorsBehavior = {
        accessControlAllowCredentials: false,
        accessControlAllowHeaders: ['*'],
        accessControlAllowMethods: ['GET', 'HEAD', 'OPTIONS'],
        accessControlAllowOrigins: props.corsAllowOrigin,
        originOverride: true,
      };

      customSimpleCORSPolicy = new ResponseHeadersPolicy(this, "customSimpleCORSPolicy", {
        corsBehavior: corsBehavior
      });
    }

    // Configure default behavior response headers policy
    if (!props.indexable) {
      // Create noindex/nofollow policy with optional CORS
      responseHeadersPolicies["defaultBehaviorResponseHeaderPolicy"] =
        new ResponseHeadersPolicy(this, "NoIndexNoFollow", {
          customHeadersBehavior: {
            customHeaders: [
              {
                header: "x-robots-tag",
                value: "noindex,nofollow",
                override: true,
              },
            ],
          },
          corsBehavior: props.corsAllowOrigin ? {
            accessControlAllowCredentials: false,
            accessControlAllowHeaders: ['*'],
            accessControlAllowMethods: ['GET', 'HEAD', 'OPTIONS'],
            accessControlAllowOrigins: props.corsAllowOrigin,
            originOverride: true,
          } : undefined,
        });
    } else if (customSimpleCORSPolicy) {
      // If indexable but CORS is enabled, use CORS policy for default behavior
      responseHeadersPolicies["defaultBehaviorResponseHeaderPolicy"] = customSimpleCORSPolicy;
    }

...
// This would be repeatedly applied to every remapPath and remapBackendpath
...(customSimpleCORSPolicy && { behaviour: { responseHeadersPolicy: customSimpleCORSPolicy } }),
...

After

new StaticHosting(this, "StaticHostingStack", {
  corsAllowOrigins: props.corsAllowOrigin,
  indexable: props.indexable
});

Other solutions considered (if any)

  • N/A

Notes to PR author

⚠️ Please make sure the changes adhere to the guidelines mentioned here

Notes to reviewers

🛈 When you've finished leaving feedback, please add a final comment to the PR tagging the author, letting them know that you have finished leaving feedback

@porhkz porhkz marked this pull request as ready for review November 27, 2025 03:50
@porhkz porhkz requested a review from a team as a code owner November 27, 2025 03:50
@porhkz porhkz changed the title Added CORS and NoIndexNoFollow Response Header Policies SMG-1185: Added CORS and NoIndexNoFollow Response Header Policies Nov 27, 2025
TheOrangePuff
TheOrangePuff requested changes Nov 27, 2025
View reviewed changes
@porhkz porhkz requested a review from TheOrangePuff November 28, 2025 01:48
TheOrangePuff
TheOrangePuff requested changes Dec 2, 2025
View reviewed changes
@porhkz porhkz requested a review from TheOrangePuff December 2, 2025 03:15
TheOrangePuff
TheOrangePuff requested changes Dec 2, 2025
View reviewed changes
@porhkz porhkz requested a review from TheOrangePuff December 3, 2025 02:13
TheOrangePuff
TheOrangePuff approved these changes Dec 4, 2025
View reviewed changes
Copy link
Member

@TheOrangePuff TheOrangePuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@porhkz porhkz merged commit d4276b0 into main Dec 4, 2025
8 checks passed
@github-actions github-actions bot mentioned this pull request Dec 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheOrangePuff TheOrangePuff TheOrangePuff approved these changes

@hubertott hubertott Awaiting requested review from hubertott hubertott is a code owner automatically assigned from aligent/devops

@NgaNaNa NgaNaNa Awaiting requested review from NgaNaNa NgaNaNa is a code owner automatically assigned from aligent/devops

@aaronmedina-dev aaronmedina-dev Awaiting requested review from aaronmedina-dev

@crispy101 crispy101 Awaiting requested review from crispy101

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@porhkz @TheOrangePuff