Is it possible to add Content Security Policy (CSP) headers on static websites hosted in Azure blob storage?
I can see you can add metadata by using the Azure CLI with the following command:
az storage blob metadata update --container-name --name "blobname" --metadata key=value
However, these never end up being propagated to the HTTP Headers.
Is there a way to add custom headers to blobs?
Cause for now this function is not available(you could go to feedback site upvote the feature), so you could achieve it with Azure Function Functions.
Here is the blog you could refer to :Static web hosting with security headers on Azure.
And there is a way(it's an answer in msdnenter link description here) to add X-XSS Protection to web. Create web.config file in the apps wwwroot folder, then paste the following:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- START x-xss protection -->
<httpProtocol>
<customHeaders>
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="Content-Security-Policy" value="default-src 'self';" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<!-- END x-xss protection -->
<rewrite>
<rules>
<!-- BEGIN rule TAG FOR HTTPS REDIRECT -->
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
<!-- END rule TAG FOR HTTPS REDIRECT -->
</rules>
</rewrite>
</system.webServer>
</configuration>
You can append CSP headers to an Azure CDN in the Rules Engine section, after mapping the CDN to your static website hosted in Azure Blob Storage. Please find the step by step reference here
