Azure Application Gateway/App Service + Secure Headers

Question

Hello Everyone!!!&nbsp;Hope you guys are doing great.&nbsp;Im looking to create Security Headers (detailed above) from OWASP recommendations to An App service in Azure.https://owasp.org/www-project-secure-headers/#http-strict-transport-securityhttps://owasp.org/www-project-secure-headers/#x-content-type-optionshttps://owasp.org/www-project-secure-headers/#content-security-policyhttps://owasp.org/www-project-secure-headers/#referrer-policyhttps://owasp.org/www-project-secure-headers/#cross-origin-embedder-policy&nbsp;1) Is there a way to configure it on an App Service? Without doing the Web.Config.2) I saw Azure application Gateway does the rewrite url. I tried to implement thishttps://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers#implement-security-http-headers-to-prevent-vulnerabilitiesAnd nothing happen.&nbsp;Could someone point me out to teh right direction? Is there an example would be awesome.

alvinabraham · Answer

Dest1337&nbsp;I did this today as a rewrite on the Application Gateway rewrite.&nbsp;

_andreg · Answer

One point of caution (and I am not sure if Front Door handles that better): I have had a scenario where we were using a third party WAF and also setup adding a HSTS header. However, some of the websites set their own HSTS header, which resulted in a double HSTS header. This caused issues with some applications.

So either make sure headers are only added by Front Door (or whatever WAF/Reverse proxy) or add a rule to remove existing HSTS headers first

Forum Discussion

Azure Application Gateway/App Service + Secure Headers

2 Replies

Resources