eli-389 adding security headers to our API gateway 400 response

eddalmond1 · eddalmond1 · commit 600e109c3d18 · 2025-11-05T14:46:46.000Z
diff --git a/infrastructure/stacks/api-layer/patient_check.tf b/infrastructure/stacks/api-layer/patient_check.tf
@@ -112,5 +112,8 @@ resource "aws_api_gateway_gateway_response" "bad_request_parameters" {
   response_parameters = {
     "gatewayresponse.header.Access-Control-Allow-Origin" = "'*'"
     "gatewayresponse.header.Content-Type"                = "'application/fhir+json'"
+    "gatewayresponse.header.Cache-Control"               = "'no-store, private'"
+    "gatewayresponse.header.Strict-Transport-Security"   = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Content-Type-Options"      = "'nosniff'"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -112,5 +112,8 @@ resource "aws_api_gateway_gateway_response" "bad_request_parameters" {`
`112`	`112`	`response_parameters = {`
`113`	`113`	`"gatewayresponse.header.Access-Control-Allow-Origin" = "'*'"`
`114`	`114`	`"gatewayresponse.header.Content-Type" = "'application/fhir+json'"`
	`115`	`+ "gatewayresponse.header.Cache-Control" = "'no-store, private'"`
	`116`	`+ "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"`
	`117`	`+ "gatewayresponse.header.X-Content-Type-Options" = "'nosniff'"`
`115`	`118`	`}`
`116`	`119`	`}`