Share via

How to add X-Content-Type-Options Header to my Http Response message when I invoke my function app root url

Dileep Mada 0 Reputation points
2024-04-01T11:54:09.6033333+00:00

Hi Team,
As part of my organization security policies, any public access url should have "X-Content-Type-Options " header for http response message. I have function app hosted in azure, when I invoke it's response not includes "X-Content-Type-Options" header in it's response. How I can add this header set globally from my azure function host?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,455 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Taylor 49,356 Reputation points
    2024-04-01T15:04:46.5166667+00:00

    That header is part of the content security policy of a site. You don't want to add it haphazardly without understanding (and using) the full CSP rules for your org.

    I haven't tried this with a function app but I believe you need to set up a proxy for the function. Inside the proxy you specify the header(s) to include as part of the response. Then all requests to the function return back the header(s) you specified. There is a blog article on that here.

    Again, though, be sure to review your company's CSP rules and ensure you're following all of them otherwise you're locking a screen door.

    1 person found this answer helpful.
    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Pinaki Ghatak 2,480 Reputation points Microsoft Employee
    2024-05-17T10:38:49.6633333+00:00

    Hello @Dileep Mada

    To enable the X-Content-Type-Options header globally for all pages in your Azure Function app, you can do one of the following:

    1. Add the header in the web.config file if the application is hosted by Internet Information Services (IIS) 7
    2. Add the header through the global Application_BeginRequest. Here's an example of how to add the header through the global Application_BeginRequest: 
    void Application_BeginRequest(object sender, EventArgs e) 
{ 
	this.Response.Headers["X-Content-Type-Options"] = "nosniff"; 
}
    1. Implement a custom HTTP module. Here's an example of how to implement a custom HTTP module: 
    public class XContentTypeOptionsModule : IHttpModule 
{ 
	#region IHttpModule Members public
	# Add your code here.
}

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

    0 comments