App service security headers

Rolf 31 Reputation points
2021-01-04T11:12:49.53+00:00

Hi,

we are using a app service with linux containers. Currently we are checking our webapp concerning security.

I read a lot of documentation, but i'm not sure if the https-only feature protects enougth, because there are no security headers set.

Is there a possibility in app service with linux containers to set http security headers like x-frame-option, x-xss-protection or strict-transport-security?

Or is is the app service the wrong place?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,858 questions
0 comments
Accepted answer
  1. SnehaAgrawal-MSFT 18,286 Reputation points
    2021-01-06T05:34:16.77+00:00

    Thanks for reply! Https-only in app service means that unencrypted requests won't be accepted and it will be enforced at the front end load balancer, before the request even reaches the worker. Means it will actively give you a redirect and not let you access the unencrypted page.
    Also, the fact that this happens on the front end is important if you're trying to see if a request is https in your code, you will always see it's http because that's how all requests reach to the worker.

    To detect https in your code you need to check another header. for example (node.js), see https://learn.microsoft.com/en-us/azure/app-service/configure-language-nodejs?pivots=platform-linux#detect-https-session

    For linux you can modify the blessed images with a startup script or use a custom container.
    Refer to Azure App Service (Linux&PHP) — Fix (securityheaders.com) missing HTTP Response Headers

    Further to Answer your query on “Is there a possibility in app service with linux containers to set http security headers like x-frame-option, x-xss-protection or strict-transport-security? Or https-only feature is enough for protection.

    From a developer standpoint – yes – using whatever language support there is for sending back HTTP headers, developers are free to include whatever they want in their responses. There isn’t a feature in the App Service platform to automatically include these headers though.

    Check this blog on architecture view.

    More details : Azure security baseline for App Service - Azure App Service | Microsoft Learn

    Hope this helps.

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rolf 31 Reputation points
    2021-01-05T06:52:25.857+00:00

    Thanks for your reply. Where can I do this for app service with linux containers?

    Is it really needed if i'm using the "HTTPS only" feature of the app service? How does this feature work?

    2 people found this answer helpful.
    0 comments
  2. SnehaAgrawal-MSFT 18,286 Reputation points
    2021-01-05T05:30:17.087+00:00

    Thanks for asking question! If I have understood right you are looking for HTTP Strict Transport Security (HSTS) support for Azure app service.

    The HSTS lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. To protect users from malicious page, web applications can use an HSTS header. Through HSTS, web applications can instruct browsers that they can be accessed only using HTTPS.

    To enable HSTS, add an outbound rule in web.config, as shown:

    53456-how-add-security-headers-to-azure-app-service-for.png

    You may refer to blog: Security Best Practices for Azure App Service Web Apps might be helpful.

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you.

    0 comments