Thanks for reply! Https-only in app service means that unencrypted requests won't be accepted and it will be enforced at the front end load balancer, before the request even reaches the worker. Means it will actively give you a redirect and not let you access the unencrypted page.
Also, the fact that this happens on the front end is important if you're trying to see if a request is https in your code, you will always see it's http because that's how all requests reach to the worker.
To detect https in your code you need to check another header. for example (node.js), see https://learn.microsoft.com/en-us/azure/app-service/configure-language-nodejs?pivots=platform-linux#detect-https-session
For linux you can modify the blessed images with a startup script or use a custom container.
Refer to Azure App Service (Linux&PHP) — Fix (securityheaders.com) missing HTTP Response Headers
Further to Answer your query on “Is there a possibility in app service with linux containers to set http security headers like x-frame-option, x-xss-protection or strict-transport-security? Or https-only feature is enough for protection.”
From a developer standpoint – yes – using whatever language support there is for sending back HTTP headers, developers are free to include whatever they want in their responses. There isn’t a feature in the App Service platform to automatically include these headers though.
Check this blog on architecture view.
More details : Azure security baseline for App Service - Azure App Service | Microsoft Learn
Hope this helps.
Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you.