Implementing Security Headers in Azure App Service

Azure-App-ServiceIf you want to follow best security practices and implement Strict Transport Security and Secure Headers in your Azure App Service you will need to add Security Headers in web.config or .htaccess files in your web application’s root folder.

Before you start remember that App Services run on a PaaS. This means that not everything can be touched or changed. We will be addressing the Azure App Service on Windows, thus, server by IIS webserver. In particular:

  • 502, 503 and 403 http statuses are returned from the front-end instances and never reach the worker, which means that we cannot influence the headers there

Removing the X-AspNet-Version header

You can do this by editing the web.config file in KUDU. If you don’t have one, just create a web.config file in the wwwroot dir.

This is between the <configuration> </configuration>

Removing the X-Powered-By: ASP.NET header

Again under <configuration>

Removing the Server header

Again under <configuration>

These do not remove the Server header from 500.0 errors. You can’t really do that but what you can do is rename it. More info here – https://stackoverflow.com/questions/50150160/remove-server-header-on-response-on-500-http-error

The web.config so far

So if you want to do all 3 in one, here is how your web.config should look like

Removing the X-Powered-By: PHP/7.2.19 (or any other version) header

Now this header exists only in PHP applications and is controlled by PHP itself. What you usually need to do is go to your PHP folder and open php.ini and find this line:

expose_php = On (change it to Off to remove the header)

In Azure App Services unfortunately is a little different. The usual way of influencing php settings by placing a .user.ini file in wwwroot will not work as the expose_php setting is a Core setting and will not be affected. So the way to do it is this:

  1. Go to your Web App’s Configuration blade
  2. Under Application Settings click New application setting
  3. Name: PHP_INI_SCAN_DIR
  4. Value: D:\home\site
  5. Click OK and Save

Azure Web App second php.ini

What we just did is to show PHP that we will be scanning this directoroy for additional .ini files. Now let’s go and create a newphp.ini file in the site dir of your Web App. In it place expose_php = Off in a single line. Save . Restart the Web App. The X-Powered-By: PHP/7.2.19 header should be gone. You can also check if the settings have worked by using a ()phpinfo page and search for expose_php to check if the new values are Off.

Adding headers for improved security

So we were stripping down headers until now but now it’s time to add some for improved security. If you run your website through a tool like https://securityheaders.com/ you will see what is it that your website is missing from the best practices.

Here is a great blog posts that explains it all. https://scotthelme.co.uk/hardening-your-http-response-headers/https://infosec.mozilla.org/guidelines/web_security

Here is a sample web.config that will allow these headers. It all fits between <configuration> -> <system.webServer>

 

The Complete web.config with HSTS and Secure Headers

So Removing the unnecessary headers and adding the additional ones for security. Here is how it all looks like in a single web.config. After you implement it you should get A+ on https://securityheaders.com/. Try other security portals and see how your app rates – https://www.ssllabs.com/ssltesthttps://observatory.mozilla.org/.

Here is an example of a restrictive Content Security Policy (CSP). No inline CSS or JS allowed. Images, media, form, script and style tags only from the whitelisted in the CSP domains. It also shows the usage of nonce for <script> tags that cannot go into a .js file.

 

Add Security Header to Apache

If you are running a Linux Apache web app you can add Security Headers by putting the following into your .htaccess file

Good luck!

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [dot] com