Secure HTTPS Headers for JavaScript with Lambda@Edge

Delivering JavaScript securely is super important when you do crypto in the browser. Since the web version of our InnoVault product does browser-based key generation and encryption, it relies on secure JavaScript code delivery. With the help of the good folks at Amazon, Tozny has been running a pilot with Amazon Web Services’ (AWS) new Lambda@Edge capability to add secure HTTPS headers to the scripts we deliver on the CloudFront CDN. We were recently highlighted as a case study for their new product, and we got a nice write-up in TheNewStack. For technical details, read Eric Mann’s blog post! To learn more, join us on Amazon’s Webinar where we’ll be talking through our approach to using Lambda@Edge to get an A+ on Mozilla’s HTTPS Observatory with secure HTTPS headers.
Tozny—a security and privacy-software solutions company based in Portland, OR— engineered InnoVault, a toolkit that makes crypto easy for developers with the first end-to-end encrypted object store. In a few lines of code, developers can encrypt user data in a browser or mobile app, store it encrypted, and access it as a JSON object after decryption in the client. The company uses Lambda@Edge, the new Lambda feature triggered by Amazon CloudFront events that lets users easily run code across AWS locations globally and provides end users with the lowest latency response. InnoVault protects cryptographic code against rogue scripts, malicious replacement of JavaScript, and HTTPS downgrade. This is accomplished with a Lambda@Edge function that efficiently adds secure HTTPS headers such as Content Security Policy, Strict Transport Security, and XSS protection. “Lambda@Edge helps us achieve both scale and security for our cutting-edge browser-based cryptography product, which helps developers improve the security of their software from the ground up,” says Tozny CEO Isaac Potoczny-Jones.