How to set Content Security Policy (CSP) Header Not Set for Azure Blob Static Website

Mosa REMBALA 0 Reputation points
2023-01-30T08:01:20.52+00:00

Hi Team,
I've resolved my problem about the proxy disclosure and now I undergo a problem about Content Security Ploicy (CSP) Header Not Set.
This is a screenshot displaying the case.

Content Security Policy (CSP) Header Not Set

Thanks for your feedback

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,427 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Arun Siripuram 801 Reputation points
    2023-01-30T08:39:54.57+00:00

    @Mosa REMBALA

    Thank you for posting your query on Microsoft Q&A.

    You can define configuration in the staticwebapp.config.json file, which controls the following settings:

    https://learn.microsoft.com/en-us/azure/static-web-apps/configuration

    This file is used to define the configurations for your app, including custom headers.

    Here's an example of how to add a Content Security Policy header in the staticwebapp.config.json file:

    {
    "globalHeaders": {
      "content-security-policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'",
      "Access-Control-Allow-Origin": "*",
      "X-Frame-Options": "SAMEORIGIN",
      "X-Permitted-Cross-Domain-Policies": "none",
      "Referrer-Policy":"no-referrer",
      "X-Content-Type-Options": "nosniff",
      "Permissions-Policy": "autoplay=()"
  }
}
  2. Arun Siripuram 801 Reputation points
    2023-01-30T14:13:41.37+00:00

    @Mosa REMBALA

    Will be happy to hear back from you. Please make note that all configurations should be based on your project requirements.

    Ex: "Access-Control-Allow-Origin": "" should be specific domain names.

    Please take care.

  3. Mosa REMBALA 0 Reputation points
    2023-01-31T11:28:01.19+00:00

    @Arun Siripuram

    I've applied the **staticwebapp.config.json **file in my deployment but nothing is changed.

    Below is the steps that I did.

    step 1: I created staticwebapp.config.json file in my app_location and I put it in the public subfolder.

    
{
    "globalHeaders": {
      "content-security-policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'",
      "Access-Control-Allow-Origin": "https://my-domain-name",
      "X-Frame-Options": "SAMEORIGIN",
      "X-Permitted-Cross-Domain-Policies": "none",
      "Referrer-Policy":"no-referrer",
      "X-Content-Type-Options": "nosniff",
      "Permissions-Policy": "autoplay=()"
  }
}

    step 2: I deploy my app.

    step 3: I test it via our check security. The result, Content Security Policy (CSP) Header Not Set is still persist.

    Content Security Policy (CSP) Header Not Set

    0 comments
  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  5. Arun Siripuram 801 Reputation points
    2023-01-31T13:45:48.75+00:00

    @Mosa REMBALA

    please check the location of the file

    File location

    The recommended location for the staticwebapp.config.json is in the folder set as the app_location in the workflow file. However, the file may be placed in any subfolder within the folder set as the app_location.

    please do refer the below url.

    https://learn.microsoft.com/en-us/azure/static-web-apps/configuration

    0 comments