![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 24%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
4,815 questions
@Heikki Vilppu thanks for the question.
By default, Static Web Apps environments are publicly accessible, but you can configure a password and require visitors to enter it before viewing the app. Azure Static Web Apps provides a streamlined authentication experience, where no other actions or configurations are required to use GitHub, Twitter, and Azure Active Directory (Azure AD) for authentication. Azure App Service lets you secure your apps with HTTPS, and provides other security features such as static IP restrictions, client authentication and authorization, service-to-service authentication, and network isolation
Regarding your 3 questions:
- To ensure that roles in the
x-ms-client-principalheader are not edited/hacked on the frontend, you can use Azure Active Directory (Azure AD) for authentication as you mentioned above. Azure AD provides a streamlined authentication experience where no other actions or configurations are required to use it for authentication - To ensure that App Service does not accept requests outside the static web app UI, you can configure static IP restrictions. This feature allows you to restrict access to your app only from specific IP addresses or ranges
- The setup is secure by default. However, since we don't know every single detail about your setup or environment its hard to say its 100% secure. With that being said, please follow best practices for security, keep your systems updated, and monitor for any unusual activity in your web app.
Hope this helps!
-Grace