Azure Functions HTTP triggers and bindings overview

Azure Functions may be invoked via HTTP requests to build serverless APIs and respond to webhooks.

Action Type
Run a function from an HTTP request Trigger
Return an HTTP response from a function Output binding

Install extension

The extension NuGet package you install depends on the C# mode you're using in your function app:

Functions execute in an isolated C# worker process. To learn more, see Guide for running C# Azure Functions in an isolated worker process.

The functionality of the extension varies depending on the extension version:

Add the extension to your project by installing the NuGet package, version 3.x.


An additional extension package is needed for ASP.NET Core integration in .NET Isolated

Install bundle

Starting with Functions version 2.x, the HTTP extension is part of an extension bundle, which is specified in your host.json project file. To learn more, see extension bundle.

This version of the extension should already be available to your function app with extension bundle, version 2.x.

host.json settings

This section describes the configuration settings available for this binding in versions 2.x and higher. Settings in the host.json file apply to all functions in a function app instance. The example host.json file below contains only the version 2.x+ settings for this binding. For more information about function app configuration settings in versions 2.x and later versions, see host.json reference for Azure Functions.


For a reference of host.json in Functions 1.x, see host.json reference for Azure Functions 1.x.

    "extensions": {
        "http": {
            "routePrefix": "api",
            "maxOutstandingRequests": 200,
            "maxConcurrentRequests": 100,
            "dynamicThrottlesEnabled": true,
            "hsts": {
                "isEnabled": true,
                "maxAge": "10"
            "customHeaders": {
                "X-Content-Type-Options": "nosniff"
Property Default Description
customHeaders none Allows you to set custom headers in the HTTP response. The previous example adds the X-Content-Type-Options header to the response to avoid content type sniffing. This custom header applies to all HTTP triggered functions in the function app.
dynamicThrottlesEnabled true* When enabled, this setting causes the request processing pipeline to periodically check system performance counters like connections/threads/processes/memory/cpu/etc and if any of those counters are over a built-in high threshold (80%), requests will be rejected with a 429 "Too Busy" response until the counter(s) return to normal levels.
*The default in a Consumption plan is true. The default in the Premium and Dedicated plans is false.
hsts not enabled When isEnabled is set to true, the HTTP Strict Transport Security (HSTS) behavior of .NET Core is enforced, as defined in the HstsOptions class. The above example also sets the maxAge property to 10 days. Supported properties of hsts are:
excludedHostsA string array of host names for which the HSTS header isn't added.
includeSubDomainsBoolean value that indicates whether the includeSubDomain parameter of the Strict-Transport-Security header is enabled.
maxAgeString that defines the max-age parameter of the Strict-Transport-Security header.
preloadBoolean that indicates whether the preload parameter of the Strict-Transport-Security header is enabled.
maxConcurrentRequests 100* The maximum number of HTTP functions that are executed in parallel. This value allows you to control concurrency, which can help manage resource utilization. For example, you might have an HTTP function that uses a large number of system resources (memory/cpu/sockets) such that it causes issues when concurrency is too high. Or you might have a function that makes outbound requests to a third-party service, and those calls need to be rate limited. In these cases, applying a throttle here can help.
*The default for a Consumption plan is 100. The default for the Premium and Dedicated plans is unbounded (-1).
maxOutstandingRequests 200* The maximum number of outstanding requests that are held at any given time. This limit includes requests that are queued but have not started executing, as well as any in progress executions. Any incoming requests over this limit are rejected with a 429 "Too Busy" response. That allows callers to employ time-based retry strategies, and also helps you to control maximum request latencies. This only controls queuing that occurs within the script host execution path. Other queues such as the ASP.NET request queue will still be in effect and unaffected by this setting.
*The default for a Consumption plan is 200. The default for the Premium and Dedicated plans is unbounded (-1).
routePrefix api The route prefix that applies to all routes. Use an empty string to remove the default prefix.

Next steps