Tutorial: Add Security headers with Rules Engine

This tutorial shows how to implement security headers to prevent browser-based vulnerabilities like HTTP Strict-Transport-Security (HSTS), X-XSS-Protection, Content-Security-Policy, or X-Frame-Options. Security-based attributes can also be defined with cookies.

The following example shows you how to add a Content-Security-Policy header to all incoming requests that match the path defined in the route your Rules Engine configuration is associated with. Here, we only allow scripts from our trusted site, https://apiphany.portal.azure-api.net to run on our application.

In this tutorial, you learn how to:

  • Configure a Content-Security-Policy within Rules Engine.

Prerequisites

Add a Content-Security-Policy header in Azure portal

  1. Within your Front door resource, select Rules engine configuration under Settings, and then select the rules engine that you want to add the security header to.

    Screenshot showing rules engine configuration page of Azure Front Door.

  2. Select Add rule to add a new rule. Provide the rule a name and then select Add an Action > Response Header.

  3. Set the Operator to Append to add this header as a response to all of the incoming requests to this route.

  4. Add the header name: Content-Security-Policy and define the values this header should accept, then select Save. In this scenario, we choose script-src 'self' https://apiphany.portal.azure-api.net.

    Screenshot showing the added security header under.

    Note

    Header values are limited to 640 characters.

  5. Once you've added all of the rules you'd like to your configuration, don't forget to go to your preferred route and associate your Rules engine configuration to the Route Rule. This step is required to enable the rule to work.

    Screenshot showing how to associate a routing rule.

    Note

    In this scenario, we did not add match conditions to the rule. All incoming requests that match the path defined in the Route Rule will have this rule applied. If you would like it to only apply to a subset of those requests, be sure to add your specific match conditions to this rule.

Clean up resources

In the previous steps, you configured security headers with rules engine of your Front Door. If you no longer want the rule, you can remove it by selecting Delete rule within the rules engine.

Screenshot showing how to delete the security rule.

Next steps

To learn how to configure a Web Application Firewall for your Front Door, continue to the next tutorial.