Azure Application Gateway/App Service + Secure Headers

Copper Contributor

Hello Everyone!!!

 

Hope you guys are doing great.

 

Im looking to create Security Headers (detailed above) from OWASP recommendations to An App service in Azure.

 

1) Is there a way to configure it on an App Service? Without doing the Web.Config.

2) I saw Azure application Gateway does the rewrite url. I tried to implement this

https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers#implement-security-h...

And nothing happen.

 

Could someone point me out to teh right direction? Is there an example would be awesome.

2 Replies

@Dest1337 I did this today as a rewrite on the Application Gateway rewrite.

AlvinAbraham_0-1700244193917.png

 

One point of caution (and I am not sure if Front Door handles that better): I have had a scenario where we were using a third party WAF and also setup adding a HSTS header. However, some of the websites set their own HSTS header, which resulted in a double HSTS header. This caused issues with some applications.

So either make sure headers are only added by Front Door (or whatever WAF/Reverse proxy) or add a rule to remove existing HSTS headers first