Monthly Archives: April 2021

Azure App Service how to change the ‘HTTP Strict Transport Security’ ?

The HTTP Strict Transport Security can be changed by modifying the coutboundRules section of the web.config as follows:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <outboundRules>
      <!-- here we change the 'HTTP Strict Transport Security' -->
        <rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
        </rule>
      </outboundRules>
    </rewrite>
  </system.webServer>
</configuration>

Azure App Service how to remove the custom headers X-Frame-Options; X-XSS-Protection; X-Content-Type-Options ?

The custom headers can be removed by modifying the customHeaders section of the web.config as follows:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.web>
  </system.web>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
        <clear/>

        <!-- here we remove custom headers -->
        <add name="X-Frame-Options" value="SAMEORIGIN"/>
        <add name="X-Xss-Protection" value="1; mode=block"/>
        <add name="X-Content-Type-Options" value="nosniff"/>
        <!-- here we remove custom headers -->

        <add name="Referrer-Policy" value="strict-origin-when-cross-origin"/>
        <add name="Permissions-Policy" value="accelerometer=(self), camera=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), payment=(self), usb=(self)"/>
      </customHeaders>
    </httpProtocol>
  </system.webServer>]
</configuration>