CDN Rules

(~10 minutes) Add a few CDN rules to deliver a more secure experience for visitors to the website.

Securing your static website:

Without configuring rules in your CDN the azure static website will get a grade of F from a security header perspective.

Analyse your HTTP response headerssecurityheaders

The basic (most affordable) Azure CDN Has a limit on the number of global rules (as of this time it is 3), the approach outlined below attempts to address the most urgent security concerns and work within these constraints.

CDN headers that will be configured:

• Add

  • X Frame Options

    • Mozilla Documentation

  • Content Security Policy

    • Mozilla Documentation

  • Strict Transport Security

    • Mozilla Documentation

  • Referrer Policy

    • Mozilla Documentation

  • HTTPS Redirect (301)

    • Google Documentation

• Remove

  • Server

    • Mozilla Documentation

Important regarding the /b2c-login path The path "b2c-login" has different rules as we will serve our custom login assets from that path and because they are loaded by B2C they need different security headers. (Read More on this)

Configure Rules Engine

Navigate to the CDN you've created

Select Rules Engine under Settings in the left pane. Add the following rules:

Global

• Choose "Add action" , choose "Modify Response Header" for adding each of the following

• • Add Action "Delete"

    • Choose:

      • HTTP header name: Server

  • Add Action "Append"

    • Choose

      • HTTP header name: X-Content-Type-Options

      • HTTP header value: nosniff

** Make sure copy and paste gets correct value (Leading/Trailing spaces, special characters)

New Rule: [Name:EnforceHTTPS]

• Choose "Add Rule", name EnforceHTTPS

• Add Condition "Request Protocol"

  • Choose:

    • If : Request protocol [Operator : Equals] [Value : HTTP]

• Add Action "URL Redirect"

  • Choose:

    • Then URL Redirect [Type: Moved (301)] [Protocol: HTTPS]

    • (leave all other fields empty)

New Rule: [Name:Global2]

• Choose "Add Rule", name Global2

• Add Condition "Request Protocol"

  • Choose:

    • If : Request protocol [Operator : Equals] [Value : HTTP]

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Strict-Transport-Security

    • HTTP header value: max-age=31536000; includeSubDomains; preload

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Referrer-Policy

    • HTTP header value:no-referrer

New Rule: [Name:Global3]

• Choose "Add Rule", name Global3

• Add Condition "if URL path"

  • Choose:

    • If : Request protocol [Operator : Not contains] [Value : b2c-login]

    • Case Transform: No transform

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: X-Frame-Options

    • HTTP header value: SAMEORIGIN

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Content-Security-Policy

    • HTTP header value: script-src 'self' cdnjs.cloudflare.com

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Referrer-Policy

    • HTTP header value: no-referrer

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Strict-Transport-Security

    • HTTP header value: max-age=31536000; includeSubDomains; preload

Important: Be sure to configure your Content-Security-Policy for every external source you will load javascript from.

New Rule: [Name:B2CCors]

• Choose "Add Rule", name B2CCors

• Add Condition "if URL path"

  • Choose:

    • If : Request protocol [Operator : Contains] [Value : b2c-login]

    • Case Transform: No transform

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Access-Control-Allow-Origin

    • HTTP header value: <<your b2c endpoint, e.g. https://sharethriftexternal.b2clogin.com>>

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Access-Control-Allow-Headers

    • HTTP header value: *

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Access-Control-Expose-Headers

    • HTTP header value: *

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Access-Control-Allow-Methods

    • HTTP header value: GET, OPTIONS

• Add Action "Modify Response Header"

  • Choose:

    • Then Modify response header [Action: Append]

    • HTTP header name: Access-Control-Max-Age

    • HTTP header value: 200

Choose Save:

When completed the settings should look like the following:

Additional Resources:

• Hardening your HTTP Response Headers