Forum Discussion
Azure Load Balancer and security headers
Hi,
If I need to set Access-Control-Allow-Origin (something else than *) in the server. Does anybody have experiences if that is header is traveling through the Azure Load Balancer? Some documentations are saying that LB needs to be able to support these headers. I'm asking this in this way, as this is kind of preparing for the future, while not be able to test that yet. Neither I was not able to find any Azure documentation for this.
2 Replies
Azure Load Balancer (ALB) works at Layer 4 (Transport Layer) and does not modify HTTP headers, including Access-Control-Allow-Origin. If your backend server sets this header, it will pass through ALB without changes.
If you use Azure Application Gateway or Azure Front Door (both operate at Layer 7), they can modify headers via rewrite rules. Also, if WAF is enabled, it might block or alter CORS headers.
So, as long as your backend properly sets Access-Control-Allow-Origin, ALB won’t interfere. If you need header modifications, consider using Application Gateway or Front Door instead.
Hello Petri,
Azure Load Balancer works as a layer 4 load balancer, which means that it operates on the Transport layer, therefore it passes all information as is from origin to the backend without applying any modifications to the request header.
In other words the http headers are not modified and any rules on the backend side are applicable.
is this answers your question ?
