Security headings

Maviso2022 1 Reputation point

On a .NET Core web app hosted on Azure I would like to have the same security headings you can see on like HSTS, x-content-options, x-xss-protection and x-frame-options.

On .NET Framework this was done on web.config but I’m not sure about how to configure this on the new Azure configuration or is it only possible injecting the headers at application level?

A set of technologies in the .NET Framework for building web applications and XML web services.
4,245 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,049 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ajkuma 22,851 Reputation points Microsoft Employee


    In App Service, TLS/SSL termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests.

    You could control (on all response headers) and include to return HSTS policy header explicitly. There is no App Service feature to enforce such policy on user's behalf.
    Just to highlight, App Services HttpsOnly is limited to redirect Http-Https but not extend to forcing single HSTS policy to all your users.

    You may take a look at this similar discussion App service security headers.

    If you have any further questions, please let us know.

    0 comments No comments