From 1ea464b1ac34192180a60570b6dcb089c54f55de Mon Sep 17 00:00:00 2001
From: Jake Jarvis <jakejarvis@gmail.com>
Date: Fri, 15 Feb 2019 14:52:14 -0500
Subject: [PATCH] more caching improvements

---
 .gitlab-ci.yml | 16 ++++++++++------
 lambda.js      | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 6 deletions(-)
 create mode 100644 lambda.js

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e44a5ef8..d0ef96dd 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -31,18 +31,22 @@ deploy:
     - aws s3 sync ./public s3://$S3_BUCKET_NAME --delete --cache-control "max-age=86400, public" --metadata-directive "REPLACE"
 
     # set certain content-types manually because S3 sucks at guessing
-    - aws s3 cp --exclude "*" --include "*.ico" --content-type="image/x-icon" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+    - aws s3 cp --exclude "*" --include "*.ico" --content-type="image/x-icon" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
     - aws s3 cp --exclude "*" --include "*.svg" --content-type="image/svg+xml" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
     - aws s3 cp --exclude "*" --include "*.ttf" --content-type="font/ttf" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
     - aws s3 cp --exclude "*" --include "*.otf" --content-type="font/otf" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
     - aws s3 cp --exclude "*" --include "*.eot" --content-type="application/vnd.ms-fontobject" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
     - aws s3 cp --exclude "*" --include "*.woff" --content-type="font/woff" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
     - aws s3 cp --exclude "*" --include "*.woff2" --content-type="font/woff2" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
-    - aws s3 cp --exclude "*" --include "*.xml" --content-type="text/xml" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
-    - aws s3 cp --exclude "*" --include "*.mp4" --content-type="video/mp4" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
-    - aws s3 cp --exclude "*" --include "*.webm" --content-type="video/webm" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
-    - aws s3 cp --exclude "*" --include "*.docx" --content-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
-    - aws s3 cp --exclude "*" --include "*.pdf" --content-type="application/pdf" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+    - aws s3 cp --exclude "*" --include "*.xml" --content-type="text/xml" --cache-control "max-age=3600, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+    - aws s3 cp --exclude "*" --include "*.mp4" --content-type="video/mp4" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+    - aws s3 cp --exclude "*" --include "*.webm" --content-type="video/webm" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+    - aws s3 cp --exclude "*" --include "*.docx" --content-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+    - aws s3 cp --exclude "*" --include "*.pdf" --content-type="application/pdf" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+
+    # a few caching improvements
+    - aws s3 cp --exclude "*" --include "*.jpg" --include "*.png" --include "*.gif" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME
+    - aws s3 cp --content-type="text/plain; charset=utf-8" --cache-control "max-age=0, no-cache, no-store" --content-disposition "inline; filename=\"jarvis.asc\"" --metadata-directive="REPLACE" s3://$S3_BUCKET_NAME/jarvis.asc s3://$S3_BUCKET_NAME/jarvis.asc
 
     # invalidate entire CloudFront cache
     - aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*";
diff --git a/lambda.js b/lambda.js
new file mode 100644
index 00000000..0d71dce6
--- /dev/null
+++ b/lambda.js
@@ -0,0 +1,52 @@
+'use strict';
+exports.handler = (event, context, callback) => {
+    // Get contents of response
+    const response = event.Records[0].cf.response;
+
+    response.headers['Strict-Transport-Security'] = [{
+      key: 'Strict-Transport-Security',
+      value: "max-age=31536000; includeSubdomains"
+    }];
+    response.headers['X-Frame-Options'] = [{
+      key: 'X-Frame-Options',
+      value: "SAMEORIGIN"
+    }];
+    response.headers['X-Content-Type-Options'] = [{
+      key: 'X-Content-Type-Options',
+      value: "nosniff"
+    }];
+    response.headers['Referrer-Policy'] = [{
+      key: 'Referrer-Policy',
+      value: "same-origin"
+    }];
+    response.headers['X-XSS-Protection'] = [{
+      key: 'X-XSS-Protection',
+      value: "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce"
+    }];
+//    response.headers['Accept-Ranges'] = [{
+//      key: 'Accept-Ranges',
+//      value: "bytes"
+//    }];
+    response.headers['Content-Security-Policy'] = [{
+      key: 'Content-Security-Policy',
+      value: "default-src 'self'; script-src 'self' stats.jarv.is 'sha256-TLAu2p9kt4LHt+sWwE0cvqq1Ok5LoGzRPrw7+mzhX00='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-src 'self'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce"
+    }];
+    response.headers['X-DNS-Prefetch-Control'] = [{
+      key: 'X-DNS-Prefetch-Control',
+      value: "off"
+    }];
+    response.headers['X-UA-Compatible'] = [{
+      key: 'X-UA-Compatible',
+      value: "IE=edge"
+    }];
+    response.headers['Expect-CT'] = [{
+      key: 'Expect-CT',
+      value: "max-age=0, report-uri=https://jarvis.report-uri.com/r/d/ct/reportOnly"
+    }];
+
+    delete response.headers['Last-Modified'];
+    delete response.headers['Expires'];
+
+    // Return modified response
+    callback(null, response);
+};
\ No newline at end of file