Challenge Overview
In this challenge series we will design the architecture and implement a POC serverless SPA using various AWS services.
Our client currently has an Angular 2+ Single Page App hosted on an EC2 instance with Apache serving it. This infrastructure uses a firewall for DDoS, XSS, Basic SQL, and other protection. It employs Apache Webgate to check for authentication tokens and redirect to Oracle Access Manager (OAM) if the token is not found, for SSO/login. Our goal in this challenge series is to define and implement a POC architecture within the AWS ecosystem to replace the current EC2 setup with a serverless infrastructure.
In previous challenges we have developed a POC app (Angular) with SSO implemented using Lambda@Edge - it intercepts all requests and redirects to Auth0 if the request is unauthorised (sso cookie). Angular app is served using Cloudfront.
In this challenge we want to create another lambda function to add custom headers to the response that contains the Angular entry page (index.html). This function should be added to the viewer response behavior in Cloudfront. List of headers should be configurable and you can use these sample headers as default:
X-Frame-Options:SAMEORIGIN
X-UA-Compatible:IE=Edge
X-XSS-Protection:1; mode=block
These headers should be added only if the response is the index.html - not for other resources (images, js, css,..) and it should work even with deep links to the angular app - ie, if cloudfront serves index.html as the response, the headers should be added as well.
SSO interceptor in the (existing) lambda function is implemented to look for index.html only to trigger the SSO flow and we want to add support for deep links as well (if the request is to domain.com/some.deep/link and the sso cookie does not exist, the sso redirect should still be performed).
Base code is available in the project repo. Use master branch. See the challenge forums for access to the Gitlab repository
NOTE: Documentation is a major requirement in this project so make sure to update deployment/verification docs.
Final Submission Guidelines
Submit the updated code
Submit a deployment/verification guide
Submit a short demo video