aligent · aaronmedina-dev · Mar 24, 2025 · Mar 21, 2025 · Mar 23, 2025 · Mar 23, 2025
@@ -11,6 +11,7 @@ Creates a Lambda function that periodically scans security headers and sends the
 This service aims to comply with PCI DSS to cover the requirements outlined by section 11.6.1.
 
 **11.6.1**: A change- and tamper-detection mechanism is deployed as follows:
+
 > - To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
 > - The mechanism is configured to evaluate the received HTTP headers and payment pages.
 > - The mechanism functions are performed as follows:
@@ -47,18 +48,19 @@ import { Topic } from "aws-cdk-lib/aws-sns";
 import { HeaderChangeDetection } from "@aligent/cdk-header-change-detection";
 
 // Create a new SNS topic
-const topic = new Topic(this, 'Topic');
+const topic = new Topic(this, "Topic");
 const snsTopic = new SnsTopic(topic);
 
 // Pass the required props
-new HeaderChangeDetection(this, 'HeaderChangeDetection', { snsTopic });
+new HeaderChangeDetection(this, "HeaderChangeDetection", { snsTopic });
 ```
 
 ## Local development
 
 [NPM link](https://docs.npmjs.com/cli/v7/commands/npm-link) can be used to develop the module locally.
+
 1. Pull this repository locally
 2. `cd` into this repository
 3. run `npm link`
 4. `cd` into the downstream repo (target project, etc) and run `npm link '@aligent/cdk-header-change-detection'`
-The downstream repository should now include a symlink to this module. Allowing local changes to be tested before pushing. You may want to update the version notation of the package in the downstream repository's `package.json`.
+   The downstream repository should now include a symlink to this module. Allowing local changes to be tested before pushing. You may want to update the version notation of the package in the downstream repository's `package.json`.
@@ -43,6 +43,13 @@ export interface HeaderChangeDetectionProps {
    * Optionally pass any rule properties
    */
   ruleProps?: Partial<RuleProps>;
+
+  /**
+   * Optionally accept HTTP status codes other than 200
+   *
+   * @default ["200"]
+   */
+  acceptedHttpStatus?: string[];
 }
 
 const command = [
@@ -108,6 +115,7 @@ export class HeaderChangeDetection extends Construct {
         HEADERS: headers.join(","),
         TABLE: table.tableName,
         TOPIC_ARN: props.snsTopic.topic.topicArn,
+        ACCEPTED_HTTP_STATUS: (props.acceptedHttpStatus || ["200"]).join(","),
       },
     });
 

@@ -23,6 +23,13 @@ const DB_CLIENT = new DynamoDBClient(config);
 
 const securityHeaders = HEADERS?.split(",") || [];
 
+// Accept status 200 default
+const ACCEPTED_HTTP_STATUS = (process.env.ACCEPTED_HTTP_STATUS || "200")
+  .split(",")
+  .map(code => parseInt(code.trim(), 10));
+
+console.log("ACCEPTED_HTTP_STATUS:", ACCEPTED_HTTP_STATUS);
+
 type Headers = Map<string, string | undefined>;
 
 // A map of URLs and their headers
@@ -80,8 +87,14 @@ const fetchHeaders = async (urls: string[]): Promise<URLHeaders> => {
   // Make an axios request for each url
   await Promise.all(
     urls.map(url =>
-      axios.get(url).then(response => {
-        // Then get all the security headers from each response
+      axios.get(url, { validateStatus: () => true }).then(response => {
+        if (!ACCEPTED_HTTP_STATUS.includes(response.status)) {
+          console.warn(
+            `Skipping ${url} — status ${response.status} not allowed`
+          );
+          return;
+        }
+
         const headers: Headers = new Map<string, string | undefined>();
 
         Object.entries(response.headers).forEach(([headerName, value]) => {
@@ -146,7 +159,7 @@ const updateStoredValues = async (
     if (value) {
       attributes[headerName] = {
         Value: {
-          S: value,
+          S: Array.isArray(value) ? value.join("; ") : value,
         },
         Action: "PUT",
       };