HSTS and X-XSS in Web App Linux

jocht 1 Reputation point
2021-05-05T15:23:54.78+00:00

I am trying to add HSTS and X-XSS to my Web App. I have been testing using this: https://securityheaders.io

I have been using this link as a starting reference:

https://tomssl.com/2016/06/30/how-to-fix-the-http-response-headers-on-azure-web-apps-to-get-an-a-plus-on-securityheaders-io/

I add web.config file inside /site/wwwroot , i stop and start my web app , but it's look no effect ( i think that web.config is Not required )

I have Linux web app (Slack : NodeJS)

How would I accomplish this ?

Thank You

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,524 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. brtrach-MSFT 14,231 Reputation points Microsoft Employee
    2021-05-08T04:44:48.583+00:00

    @jocht Thank you for your question. We apologize for the frustration that you have encountered.

    Firstly, please ensure that you have a custom domain added to your web app and that it is protected via an SSL cert. This is required to get HSTS to work.

    Secondly, the link you provided uses a different web.config file snippet than what we have in our internal notes. Can you please try to use the below snippet to see if it's successful?

    Edit web.config file and update this tag : <system.webServer> by adding the following:

    	    <rewrite>  
    	            <rules>  
    	                <rule name="HTTP to HTTPS redirect" stopProcessing="true">  
    	                    <match url="(.*)" />  
    	                    <conditions>  
    	                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />  
    	                    </conditions>  
    	                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"  
    	                        redirectType="Permanent" />  
    	                </rule>  
    	            </rules>  
    	            <outboundRules>  
    	                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">  
    	                    <match serverVariable="RESPONSE_Strict_Transport_Security"  
    	                        pattern=".*" />  
    	                    <conditions>  
    	                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />  
    	                    </conditions>  
    	                    <action type="Rewrite" value="max-age=31536000" />  
    	                </rule>  
    	            </outboundRules>  
         </rewrite>