Azure Application Gateway/App Service + Secure Headers

Dest1337 · ‎Mar 23 2021

Hello Everyone!!!

Hope you guys are doing great.

Im looking to create Security Headers (detailed above) from OWASP recommendations to An App service in Azure.

1) Is there a way to configure it on an App Service? Without doing the Web.Config.

2) I saw Azure application Gateway does the rewrite url. I tried to implement this

https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers#implement-security-h...

And nothing happen.

Could someone point me out to teh right direction? Is there an example would be awesome.

AlvinAbraham · ‎Nov 17 2023

@Dest1337 I did this today as a rewrite on the Application Gateway rewrite.

_AndreG · ‎Nov 17 2023

One point of caution (and I am not sure if Front Door handles that better): I have had a scenario where we were using a third party WAF and also setup adding a HSTS header. However, some of the websites set their own HSTS header, which resulted in a double HSTS header. This caused issues with some applications.

So either make sure headers are only added by Front Door (or whatever WAF/Reverse proxy) or add a rule to remove existing HSTS headers first

Azure Application Gateway/App Service + Secure Headers

Azure Application Gateway/App Service + Secure Headers

Re: Azure Application Gateway/App Service + Secure Headers

Re: Azure Application Gateway/App Service + Secure Headers

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Azure Application Gateway/App Service + Secure Headers

Azure Application Gateway/App Service + Secure Headers

Re: Azure Application Gateway/App Service + Secure Headers

Re: Azure Application Gateway/App Service + Secure Headers