Configure HTTP security response headers for Azure Static Web Apps

Introduction

HTTP security headers is the most crucial part of the web applications that helps to protect against some variety of attacks most likely cross-site scripting, clickjacking and other script attacks, configure HTTP security headers is frequently forgotten by Developers! So, I recently checked my blog on securityheaders.com and results indicated that HTTP security headers are not configured so I decided to put some HTTP security headers for my Azure Static Web Apps.

Recommended HTTP security headers

1. Strict-Transport-Security

2. Content-Security-Policy

3. X-Frame-Options

4. X-Permitted-Cross-Domain-Policies

5. X-Content-Type-Options

6. Permissions-Policy

Configure HTTP security headers

You can create a json file called ( staticwebapp.config.json ) in the root of the web site and put the configuration like below then deploy it to your Azure Static Web App host.

{
      "globalHeaders": {
        "content-security-policy": "frame-ancestors 'self'; 
         upgrade-insecure-requests",
        "X-Frame-Options": "SAMEORIGIN",
        "X-Permitted-Cross-Domain-Policies": "none",
        "Referrer-Policy":"no-referrer",
        "X-Content-Type-Options": "nosniff",
        "Permissions-Policy": "autoplay=()"
    }
  }

Comments

[Rebin]

Thanks, nice idea ❤