How to add security headers in Azure

Question

Our web application link in azure is contoso.azurewebsites.net/ After that we have created custom dns in azure and updated as contoso.azure.zf.com/ After creating this, we have a request from security that we need to enable WAF for public apps So we have to enable WAF and we have provided CName and domain Name to the WAF team CName : contoso.azurewebsites.net/ FinalDomain : contoso.azure.zf.com/ CloudWAF name was provided by them (check below) and we were asked to update our CName DEV:
contoso.azure.zf.com --> CNAME: contoso9.fortiweb-cloud-azure.net PROD:
contoso.azure.zf.com --> CNAME: contso.forti.web-cloud-azure.net So we have updated this Value like below inplace of azurewbsites.net And after that informed WAF team about updation. Then they provided security headers and asked to update in portal

Header-Name: ZF-SECURE-WAF-HEADER Value: XYZ

Where we have to add this security headers in portal - Access restriction or in configuration or in application insights. Only if we add this security header: contoso.azurewebsites.net/ will not be accessible

Answer 1

Hi Rangasamy Sakthikrishna CNN FIXP51,

First I advise to don't share confidential information by communities. About your questions:

How to Add this security headers? This will depends on your application code or configuration, for example if you are using C# can use something like this:

app.Use(async (context, next) =>
{
    var headerValue = Environment.GetEnvironmentVariable("ZF_SECURE_WAF_HEADER");
    context.Response.Headers.Add("ZF-SECURE-WAF-HEADER", headerValue);
    await next.Invoke();
});

Additionally, In order to don't hardcode this values on your code you can add this headers values in the App Service > Configuration > Application Settings in the Azure portal, these values are made available to your application as environment variables and Your can retreive by this way.

Let me know if this information help you to address your question.

Luis