Introduction
HTTP security headers is the most crucial part of the web applications that helps to protect against some variety of attacks most likely cross-site scripting, clickjacking and other script attacks, configure HTTP security headers is frequently forgotten by Developers! So, I recently checked my blog on securityheaders.com and results indicated that HTTP security headers are not configured so I decided to put some HTTP security headers for my Azure Static Web Apps.
Recommended HTTP security headers
Strict-Transport-Security
Content-Security-Policy
X-Frame-Options
X-Permitted-Cross-Domain-Policies
X-Content-Type-Options
Permissions-Policy
Configure HTTP security headers
You can create a json file called ( staticwebapp.config.json ) in the root of the web site and put the configuration like below then deploy it to your Azure Static Web App host.
{
"globalHeaders": {
"content-security-policy": "frame-ancestors 'self';
upgrade-insecure-requests",
"X-Frame-Options": "SAMEORIGIN",
"X-Permitted-Cross-Domain-Policies": "none",
"Referrer-Policy":"no-referrer",
"X-Content-Type-Options": "nosniff",
"Permissions-Policy": "autoplay=()"
}
}
Top comments (1)
Thanks, nice idea β€