How to add/remove HTTPS response headers from a static web page deployed in Azure Blob Storage

Question

Hi Microsoft Azure Team,

My team maintains a static web app deployed in Azure Blob Storage. We would want to add/remove headers in the HTTPS response. Is this possible?

Add/Remove	HTTPS Response Header
Add	Custom security headers (i.e. "Strict-Transport-Security", etc.)
Remove	Server

If it is not possible to do on Azure Blob Storage alone, can you please suggest which network components are suggested in order to achieve this requirement?

Answer 1

Hello Jolo Gonzales,

Greetings! Welcome to Microsoft Q&A Platform.

Azure Blob Storage alone does not support adding or removing custom headers in the HTTPS response directly documented here. Static websites have some limitations. For example, If you want to configure headers, you'll have to use Azure Content Delivery Network (Azure CDN). There's no way to configure headers as part of the static website feature itself. Also, AuthN and AuthZ are not supported.

If these features are important for your scenario, consider using Azure Static Web Apps. It's a great alternative to static websites and is also appropriate in cases where you don't require a web server to render content. You can configure headers and AuthN / AuthZ is fully supported. Azure Static Web Apps also provides a fully managed continuous integration and continuous delivery (CI/CD) workflow from GitHub source to global deployment.

If you need a web server to render content, you can use Azure App Service. However, you can achieve this by using additional Azure services.

Azure CDN (Content Delivery Network): You can use Azure CDN to add, modify, or remove headers. Azure CDN allows you to configure rules to append or overwrite header values, including security headers like "Strict-Transport-Security".

Azure Front Door: This service provides advanced routing and security features, including the ability to add or modify headers in the HTTP response. It acts as a global load balancer and can help you manage traffic efficiently while adding the necessary headers.

Azure Application Gateway: This is another option that provides a web application firewall (WAF) and allows you to add custom headers to your responses. It can be used in conjunction with Azure Blob Storage to enhance security and manage headers.

Using one of these services in combination with Azure Blob Storage will help you achieve your goal of adding or removing custom headers in the HTTPS response.

Similar thread for reference - https://stackoverflow.com/questions/70002088/how-to-add-custom-response-header-to-a-response-coming-from-azure-blob,https://learn.microsoft.com/en-us/rest/api/storageservices/setting-and-retrieving-properties-and-metadata-for-blob-resources.

Hope this information helps! please let us know if you have any further queries. I’m happy to assist you further.

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi Jolo Gonzales - Thanks for reaching out over Q&A Forum,

Unfortunately, there's no way to configure headers as part of the static website feature. Same has been documented here – https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website#adding-http-headers  

However, you can use Azure CDN to add headers and append (or overwrite) header values. See Standard rules engine reference for Azure CDN. If you want to use headers to control caching, see Control Azure CDN caching behavior with caching rules. Also refer the document for the same - https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website#how-do-i-add-custom-headers-and-rules-with-a-static-website

Hope that helps!

Please let me know if there are any further queries/concerns, will be glad to assist.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.