Adding Security Headers for Azure CDN Content With Azure Engine Rules

OBS! This post shows how to create rules for Azure CDN Standard from Microsoft. Although there are some differences between the different CDN products that Azure has, rule creation is similar across the board. [Read more in the docs] (https://docs.microsoft.com/en-us/azure/cdn/cdn-verizon-premium-rules-engine-reference)

A few days ago, I shared on Twitter that I had improved the performance for my site, and Ben McCallum kindly sent the result for a wider screening of my site, including security headers. The Mozilla security headers screening came me an F, and I confirmed by using another site made by a friend of mine, Scott Helmer. My site is served using an Azure CDN (Azure CDN Standard from Microsoft), and the security headers can be set using the Rules Engine.

Create a new Rule, add an appropriate condition, for example ‘Request URL = Any’, and add an action for each header that you want to append. At the time of writing you can only have 3 Actions per Rule, and no more than 5 rules, including the global rule. For each action choose ‘Modify Response Header’, set Action to Append, and then header name and value. The value has a 128 char limit.

To scan your site you can use Bens site, Blip which gives an overview for several metrics including security, performance and accessibility, or Scott Helmers site that focuses on security headers and gives a detailed result. I’ve use both sites, as well as the built-in Lighthouse tool in Chrome Dev Tools.

Happy coding!

Comments

Last modified on 2020-08-20