CDN Rules
(~10 minutes) Add a few CDN rules to deliver a more secure experience for visitors to the website.
Last updated
Was this helpful?
(~10 minutes) Add a few CDN rules to deliver a more secure experience for visitors to the website.
Last updated
Was this helpful?
Securing your static website:
Without configuring rules in your CDN the azure static website will get a grade of F from a security header perspective.
The basic (most affordable) Azure CDN Has a limit on the number of global rules (as of this time it is 3), the approach outlined below attempts to address the most urgent security concerns and work within these constraints.
CDN headers that will be configured:
Add
X Frame Options
Content Security Policy
Strict Transport Security
Referrer Policy
HTTPS Redirect (301)
Remove
Server
Navigate to the CDN you've created
Select Rules Engine under Settings in the left pane. Add the following rules:
Choose "Add action" , choose "Modify Response Header" for adding each of the following
Add Action "Delete"
Choose:
HTTP header name: Server
Add Action "Append"
Choose
HTTP header name: X-Content-Type-Options
HTTP header value: nosniff
** Make sure copy and paste gets correct value (Leading/Trailing spaces, special characters)
Choose "Add Rule", name EnforceHTTPS
Add Condition "Request Protocol"
Choose:
If : Request protocol [Operator : Equals] [Value : HTTP]
Add Action "URL Redirect"
Choose:
Then URL Redirect [Type: Moved (301)] [Protocol: HTTPS]
(leave all other fields empty)
Choose "Add Rule", name Global2
Add Condition "Request Protocol"
Choose:
If : Request protocol [Operator : Equals] [Value : HTTP]
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Strict-Transport-Security
HTTP header value: max-age=31536000; includeSubDomains; preload
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Referrer-Policy
HTTP header value:no-referrer
Choose "Add Rule", name Global3
Add Condition "if URL path"
Choose:
If : Request protocol [Operator : Not contains] [Value : b2c-login]
Case Transform: No transform
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: X-Frame-Options
HTTP header value: SAMEORIGIN
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Content-Security-Policy
HTTP header value: script-src 'self' cdnjs.cloudflare.com
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Referrer-Policy
HTTP header value: no-referrer
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Strict-Transport-Security
HTTP header value: max-age=31536000; includeSubDomains; preload
Important: Be sure to configure your Content-Security-Policy for every external source you will load javascript from.
Choose "Add Rule", name B2CCors
Add Condition "if URL path"
Choose:
If : Request protocol [Operator : Contains] [Value : b2c-login]
Case Transform: No transform
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Access-Control-Allow-Origin
HTTP header value: <<your b2c endpoint, e.g. https://sharethriftexternal.b2clogin.com>>
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Access-Control-Allow-Headers
HTTP header value: *
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Access-Control-Expose-Headers
HTTP header value: *
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Access-Control-Allow-Methods
HTTP header value: GET, OPTIONS
Add Action "Modify Response Header"
Choose:
Then Modify response header [Action: Append]
HTTP header name: Access-Control-Max-Age
HTTP header value: 200
Choose Save:
When completed the settings should look like the following:
Additional Resources:
Important regarding the /b2c-login path The path "b2c-login" has different rules as we will serve our custom login assets from that path and because they are loaded by B2C they need different security headers. ( on this)
