Sendgrid.Com to view your account details or visit https://mc.Sendgrid.Com for marketing campaigns, you are visiting our front-end web applications hosted in aws s3 buckets with cloudfront distributions above them. Our web applications essentially consist of minified and code-split javascript and css files, html files, and image files uploaded to s3 buckets as cloudfront caches and deliver them to our users. Each of our web application environments, whether test, staging, or production, has a separate s3 bucket and cloudfront distribution. This aws s3 and cloudfront infrastructure works well for our large-scale web applications in hosting files on a content delivery network, but our initial setups company mailing list lacked tighter protections in the form of security headers. Adding these security headers would prevent users from attacks, such as cross-site scripting, mime sniffing, clickjacking, code injection, and protocol-related man-in-the-middle attacks. Unsecured. If left unchecked, this would have serious consequences for our customers' data and for our company's confidence in its ability to provide a secure web experience. Before digging into how to add these headers, we first took a step back to see where we were at. After running our web application url Through a security headers scanning website , we unsurprisingly received a failing grade, but saw a useful list of headers to examine, as shown below. As you can see, there was plenty of room for improvement. We researched how to configure our aws s3 and cloudfront resources to respond with security headers to mitigate the mentioned risks and vulnerabilities. At a high level, we can achieve this by creating a lambda@edge function that modifies the original response headers to add the desired security headers before the web application files return to the browser from the user. The strategy is to first test manually plugging in items through the aws console. Then we'll put those configurations into terraform to