IE Edge not honoring Lambda@Edge HSTS

Question

I have a React app hosted in AWS S3. To help secure it, I have implemented Lambda@Edge following the AWS guide: https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/

The Nodejs lambda is hosted in N. Virginia:

'use strict';
exports.handler = (event, context, callback) => {
    
    //Get contents of response
    const response = event.Records[0].cf.response;
    const headers = response.headers;

//Set new headers 
 headers['strict-transport-security'] = [{key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubdomains; preload'}]; 
 headers['content-security-policy'] = [{key: 'Content-Security-Policy', value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"}]; 
 headers['x-content-type-options'] = [{key: 'X-Content-Type-Options', value: 'nosniff'}]; 
 headers['x-frame-options'] = [{key: 'X-Frame-Options', value: 'DENY'}]; 
 headers['x-xss-protection'] = [{key: 'X-XSS-Protection', value: '1; mode=block'}]; 
 headers['referrer-policy'] = [{key: 'Referrer-Policy', value: 'same-origin'}]; 
    
    //Return modified response
    callback(null, response);
};

HSTS headers and the redirect from HTTP to HTTPS works fine in Google Chrome and Firefox, but Internet Explorer Edge does not redirect. It loads the page over HTTP and has the alert "Not Secure" next to the address bar.

Looking at the network tab in Internet explorer shows the Strict-Transport-Security header in the response. Everything I have research suggests that IE supports HSTS so I am not sure why Edge is not redirecting to HTTPS and instead loading the page over HTTP. I would like to prevent any content being loaded over HTTP.

I have valid certs and domain and everything purchased through AWS, everything works as expected with Firefox and Chrome, just not IE.

Answer 1

I created this under the assumption that CloudFront was doing it's job of performing the redirect from HTTP to HTTPS. Michael's comment made me go back and check where we thought the redirect was occurring.

Turns out CloudFront had two behaviors:

Precedence    Pattern     Origin    Policy
0             *           [URL]     HTTP and HTTPS
1             Default(*)  [URL]     Redirect HTTP to HTTPS

I guess even though it is default and was created with the redirect, AWS / Cloudfront created the precedence 0 which takes effect first and allows HTTP, it is not possible to change the precedence order, you have to change the behavior of 0 to also be Redirect HTTP to HTTPS.

After that, HSTS is remembered and used by the browser.