Implementing Security Headers in Azure App Service and Azure Container Apps

Why Security Headers Matter?

Security headers are an essential part of web application security. They help protect against common vulnerabilities such as cross-site scripting (XSS), clickjacking, and data exposure. By configuring these headers, you instruct browsers on how to handle your content securely.

Azure platform does not automatically inject these headers, so developers must configure them at the application level or through middleware.

Common Security Headers to Implement

1. Content-Security-Policy (CSP)

Controls which resources the browser can load, mitigating XSS attacks.

Content-Security-Policy: default-src 'self';

2. X-Content-Type-Options

Prevents MIME type sniffing.

X-Content-Type-Options: nosniff

3. X-Frame-Options

Protects against clickjacking by disallowing iframe embedding.

X-Frame-Options: DENY

4. Strict-Transport-Security (HSTS)

Enforces HTTPS connections.

Strict-Transport-Security: max-age=31536000; includeSubDomains

5. Referrer-Policy

Controls referrer information sent in requests.

Referrer-Policy: no-referrer

6. Permissions-Policy

Restricts browser features like camera and geolocation.

Permissions-Policy: geolocation=(), camera=()

How to Add Security Headers in Azure App Service / Azure Container Apps

Option 1: Web.config (Windows-based App Service)

For .NET apps, add headers in web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Content-Type-Options" value="nosniff" />
      <add name="X-Frame-Options" value="DENY" />
      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
      <add name="Content-Security-Policy" value="default-src 'self'" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Option 2:  Azure Container Apps/Azure App Service : Application-Level (Linux or Node.js, Python, Java apps, PHP) 

For Node.js (Express):

const helmet = require('helmet');

app.use(helmet());

Note: For implementation specifics , refer to your programming language’s official documentation.

Reverse Proxy (Nginx or Apache inside container)

add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header Content-Security-Policy "default-src 'self'";

Doc : How to set Nginx headers -

Option 3: Azure Front Door / Application Gateway

If you use these services, you can inject headers at the edge using Rules Engine.

• Use header rewrite to add HSTS header in portal - Azure Application Gateway | Microsoft Learn
• Tutorial: Add security headers with Rules Engine - Azure Front Door | Microsoft Learn

Conclusion

Implementing security headers in App Service or Container Apps is a simple yet powerful way to enhance your application’s security posture. Whether you use web.config, middleware, or edge services, these headers help protect your users and data from common web threats.

Start today by adding these headers to your App Service and make your application more secure!

[References]

App Service Linux security FAQs –

Editing Response Headers on Linux App Service –

Configure a PHP App - Azure App Service | Microsoft Learn

Configure Node.js Apps - Azure App Service | Microsoft Learn