Search code examples
node.jsazureazure-web-app-service

Adding Content Security Policy to Azure Web APP

I am trying to add a HSTS and X-XSS to my Web App. I have been testing using this: https://securityheaders.io

I have been using this link as a starting reference:

https://tomssl.com/2016/06/30/how-to-fix-the-http-response-headers-on-azure-web-apps-to-get-an-a-plus-on-securityheaders-io/

I add web.config file inside /site/wwwroot , i stop and start my web app , but it's look no effect ( i think that web.config is Not required )

I have Linux web app (Slack : NodeJS)

How would I accomplish this ?

Thank You!

Solution

  • You can change Content-Security-Policy in your code. It's the better way to solve your issure.

    Related Blog. How To Secure Node.js Applications with a Content Security Policy

    enter image description here

    I found that in azure linux, it is not directly known which webserver is used in the linux server, so I did not try the following method. If you are interested, you can raise a support for help, let Microsoft Engineer help you.

    As you use linux platform, so you need to determine which webserver you use in your web app.

    1. If use apache, you can add .htaccess file to solve the issue.

      Implement Content Security Policy using local htaccess file (Apache)

    2. If nginx, you can add yourcustom.conf file to do that.

      https://gist.github.com/plentz/6737338