Implementing Security Headers in Azure Application Gateway

App-gateway-remove-port-from-headerIf your Azure App Service is behind Azure Application Gateway you will need to implement Strict Transport Security and Secure Headers in your Azure Application Gateway instead of App Service’s web.config or .htaccess

Azure Application Gateway has an ability to add, remove or modify inbound and outbound headers. This can be done in “Rewrites” section of your Application Gateway’s blade.

Click “+ Rewrite set

Application-Gateway-Add-Headers

In the first step of the Wizard name the rewrite set and choose routing rules and paths to apply this set to and click “Next”.

Now click on “Add rewrite rule” and name the rule for example “AddSecureHeaders”:

Application-Gateway-Add-Secure-HeadersNext, click on “Add action”. You will see the new action entry appeared in the pane:

Application-Gateway-Add-Secure-Headers-Add-ActionClick on it and it will expand with a menu where you can set properties of the new header for you want to add. In “Rewrite type” choose “Response Header” and in “Action Type” choose “Set”.

If your  “Header name” type as “Common header” you will be able to choose a header from a predefined list. In case of “Custom header” you will be able to set header’s name manually.

Here is an example of X-Frame-Options header configured in Azure Application Gateway:

X-Frame-Options-header-configured-in-Azure-Application-GatewayClick OK and “Add action” to add another header. Let’s say this time it will be Custom header X-Content-Type-Options:

header-X-Content-Type-Options-Azure-App-GatewayIf we want to remove unnecessary headers such as “Server” or “X-Powered-By“, we choose “Action type” – “Delete”. Here is an example:

Delete-X-Powered-By-Header

Here is a complete list of rules:


For your convenience here is a text representation of the rules above in IIS web.config file with the comments for each rule. Just copy values from the file’s example :

After finishing creating the rules don’t forget to click blue “Create” button in the lower left corner.

Now check your website through a tool like https://securityheaders.com/ and you will see what is it that your website is missing from the best practices.

That’s it! Good luck!

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [point] com