Software Developer focusing on Microsoft development technologies

05 Sep 2021

Configure HTTP security response headers for Azure Static Web Apps

“Introduction” Photo by Emile Perron


HTTP security headers is the most crucial part of the web applications that helps to protect against some variety of attacks most likely cross-site scripting, clickjacking and other script attacks, configure HTTP security headers is frequently forgotten by Developers ! So, I recently checked this blog on and results indicated that HTTP security headers are not configured then I decided to put some HTTP security headers for my blog that running on Azure Static Web Apps.

  1. Strict-Transport-Security

  2. Content-Security-Policy

  3. X-Frame-Options

  4. X-Permitted-Cross-Domain-Policies

  5. X-Content-Type-Options

  6. Permissions-Policy

Configure HTTP security headers

You can create a json file called ( staticwebapp.config.json ) in the root of the web site and put the configuration like below then deploy it to your Azure Static Web App host.

      "globalHeaders": {
        "content-security-policy": "frame-ancestors 'self'; upgrade-insecure-requests",
        "X-Frame-Options": "SAMEORIGIN",
        "X-Permitted-Cross-Domain-Policies": "none",
        "X-Content-Type-Options": "nosniff",
        "Permissions-Policy": "autoplay=()"