Configure HTTP security response headers for Azure Static Web Apps
Introduction
HTTP security headers is the most crucial part of the web applications that helps to protect against some variety of attacks most likely cross-site scripting, clickjacking and other script attacks, configure HTTP security headers is frequently forgotten by Developers ! So, I recently checked this blog on securityheaders.com and results indicated that HTTP security headers are not configured then I decided to put some HTTP security headers for my blog that running on Azure Static Web Apps.
Recommended HTTP security headers
-
Strict-Transport-Security
-
Content-Security-Policy
-
X-Frame-Options
-
X-Permitted-Cross-Domain-Policies
-
X-Content-Type-Options
-
Permissions-Policy
Configure HTTP security headers
You can create a json file called ( staticwebapp.config.json ) in the root of the web site and put the configuration like below then deploy it to your Azure Static Web App host.
{
"globalHeaders": {
"content-security-policy": "frame-ancestors 'self'; upgrade-insecure-requests",
"X-Frame-Options": "SAMEORIGIN",
"X-Permitted-Cross-Domain-Policies": "none",
"Referrer-Policy":"no-referrer",
"X-Content-Type-Options": "nosniff",
"Permissions-Policy": "autoplay=()"
}
}