Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✔️ Front Door (classic)
Important
Azure Front Door (classic) will be retired on March 31, 2027. To avoid any service disruption, it's important that you migrate your Azure Front Door (classic) profiles to Azure Front Door Standard or Premium tier by March 2027. For more information, see Azure Front Door (classic) retirement.
This tutorial demonstrates how to implement security headers to prevent browser-based vulnerabilities such as HTTP Strict-Transport-Security (HSTS), X-XSS-Protection, Content-Security-Policy, and X-Frame-Options. Security attributes can also be defined with cookies.
The example in this tutorial shows how to add a Content-Security-Policy header to all incoming requests that match the path defined in the route associated with your rules engine configuration. In this scenario, only scripts from the trusted site https://apiphany.portal.azure-api.net are allowed to run on the application.
In this tutorial, you learn how to:
- Configure a Content-Security-Policy within rules engine.
Prerequisites
- An Azure subscription.
- An Azure Front Door. To complete this tutorial, you must have an Azure Front Door configured with rules engine. For more information, see Create an Azure Front Door and Configure your rules engine.
Add a Content-Security-Policy header in Azure portal
In your Azure Front Door resource, select Rules engine configuration under Settings. Choose the rules engine where you want to add the security header.
Select Add rule to create a new rule. Name the rule and then select Add an Action > Response Header.
Set the Operator to Append to add this header to all incoming requests for this route.
Enter the header name: Content-Security-Policy and specify the values for this header. In this example, use
script-src 'self' https://apiphany.portal.azure-api.net. Select Save.
Note
Header values are limited to 640 characters.
After adding the rules, associate your Rules engine configuration with the Route Rule of your chosen route. This step is necessary for the rule to take effect.
Note
In this example, no match conditions were added to the rule. The rule will apply to all incoming requests that match the path defined in the Route Rule. To apply it to a subset of requests, add specific match conditions to the rule.
Clean up resources
If you no longer need the security header rule configured in the previous steps, you can remove it by selecting Delete rule in the rules engine.