How to test Security Headers on App Services within Windows based containers?

Question

I have set up HSTS on my web application. It is an angular app with a .net backend, hosted on Azure App Services in windows containers. I made changes to the Startup.cs:

services.AddHsts(options =>
{
    options.Preload = true;
    options.IncludeSubDomains = true;
    options.MaxAge = TimeSpan.FromMinutes(5); //.FromDays(60); //.FromSeconds(31536000);
});

services.AddHttpsRedirection(options =>
{
    options.RedirectStatusCode = (int)HttpStatusCode.TemporaryRedirect;
    options.HttpsPort = 5001;
});

Chrome internals is showing: dynamic_upgrade_mode: FORCE_HTTPS. I cannot figure out how to set up other security headers for an Azure App Service within a Windows container:

• X-XSS-Protection
• X-Frame-Options
• X-Content-Type-Options
• HTTP Strict Transport Security (HSTS)
• Referrer-Policy
• Feature-Policy
• Content-Security-Policy

Answer 1

You can add Security Headers either from Program.cs or in web.config file.

In Program.cs file, add the below code

app.Use(async (mycon, sh) =>
{  
    mycon.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
    mycon.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
    mycon.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
    mycon.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    mycon.Response.Headers.Add("Referrer-Policy", "no-referrer");
    mycon.Response.Headers.Add("Feature-Policy", "camera 'none'; microphone 'none'");
    mycon.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';");

    await sh.Invoke();
});

OR

I have taken references from this blog to add security headers in web.config file.

• Add a web.config file in the Existing Application and add the below setting related to security Headers.

<?xml version="1.0" encoding="utf-8"?>
<configuration> 
  <system.webServer>  
    <httpProtocol>
      <customHeaders>
        <clear />
        <add name="X-Xss-Protection" value="1; mode=block"/>
        <add name="X-Frame-Options" value="SAMEORIGIN"/>
        <add name="X-Content-Type-Options" value="nosniff"/>
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload"/>
        <add name="Referrer-Policy" value="strict-origin-when-cross-origin"/>
        <add name="Feature-Policy" value="Policy-directive" />
        <add name="Content-Security-Policy" value="upgrade-insecure-requests; base-uri 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none';"/>
      </customHeaders>     
    </httpProtocol>
  </system.webServer>
</configuration>

You can also refer the SOThread and Blog which explains how to add the Security Headers from web.config file.

Output: