Allow adding headers to static website hosting in blob storage
The static website hosting is fantastic, to make this feature even more awesome please allow adding of custom headers like CSP, HSTS etc secure the static website.
This feature would be important for me. I have the following scenarios.
- Cache control headers to expire cache
- content-disposition headers to control the behaviour when an user clicks on a static file like a CSV (download or render inline)
Mark Dommisse commented
Not having this functionality will mean that every pentester will find issues with implementing static website hosting in blob storage.
Justin Musterman commented
static websites is not a production ready product without this feature. shameful.
Weber Ress commented
This is a must feature ! have my vote !
Koen van der Meer commented
This is a must for serious solutions.
Mark Conway commented
As it stands today, hosted sites get an F-rating from https://securityheaders.com
Also, can we have an auto redirect from http to https?
Yaser Mehraban commented
+1000 for this, it's one those items on every security checklist which gets audited
Matt Cotterell commented
This is absolutely crucial for this to be viable for any serious usage. Without simple static headers like HSTS, CSP and other security staples, we cannot rely on this.
As a workaround, we can make use of Azure CDN (Verizon Premium) for this (and HTTP->HTTPS redirects) but it is disappointing we have to rely on the most expensive CDN tier to achieve this when it’s a far better fit for Static Websites to handle (and so critical for modern web security).
Mahesh Saini Srijan commented
I also have the requirement to add `X-Frame-Options`, `Content-Security-Policy` and `Content-Type` header for each resource in order to pass the security testing. I would love to have this feature by default in blog storage.
It is good to have features If I can add `X-Frame-Options`, `Content-Security-Policy` and `Content-Type` header for each resource.
Mikael Chudinov commented
Especially cache-control headers are useful.
Aleksander Pawlak commented
Currently this is only achievable with Azure Proxy Functions. This isn't the best way to go, especially when there are free services that do exactly this. This shouldn't be hard to implement, yet very welcoming feature. I plan to use static website hosting for my customers on Azure, and would very much want it to be as secure as possible
Farzan Hasani commented
Custom headers can be added through CDN Rules Engine. However, we are unable to delete or modify the server header. Please allow this feature (or set it to a generic name) in order to comply with security recommendations