Clarification on Azure Front Door Handling of "Server" Response Header

Lucas 100 Reputation points
2024-05-10T05:28:55.78+00:00

Dear Azure Team,

I hope this message finds you well. I'm reaching out to seek clarification on an observed behavior related to the Azure Front Door service.

During my recent deployment, I noticed that when directly accessing the backend App Service endpoint, the response headers included the "Server" header (e.g., "Server: nginx/1.14.0"). However, when accessing the same application through the Azure Front Door, the "Server" response header was no longer present.

I thoroughly reviewed the Azure Front Door documentation but could not find any explicit mention of the service removing or modifying the "Server" response header by default. I understand that this practice is common among reverse proxies and Web Application Firewalls for security purposes, but I appreciate transparency and would like to understand the rationale behind this behavior better.

Could you kindly confirm if this is an expected and documented behavior of Azure Front Door? If so, I would greatly appreciate if you could provide a reference to the relevant documentation or clarify the reasoning behind this decision.

Additionally, if there is a way to configure Azure Front Door to preserve the "Server" response header (should I have a specific requirement for it), I would be grateful if you could guide me through the necessary steps.

Thank you in advance for your assistance. I appreciate your time and effort in ensuring the Azure documentation remains comprehensive and up-to-date.

SCR-20240510-mvah

Best regards,
Lucas

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
598 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
996 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,044 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee
    2024-05-10T07:10:32.93+00:00

    @Lucas ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Generally, AFD passes all the headers it receives from the Origin to the Client without any medication.

    See : From the Front Door to the client - Protocol support for HTTP headers.

    However, this can be overridden by using Rule Sets.

    Can you confirm if you do not have any Rule Sets configured that deletes the response header "Server" for traffic from AFD to Client?

    Cheers,

    Kapil


0 additional answers

Sort by: Most helpful