@mercurjl can you please provide me with the link to the doc you are referring to?

Also, if this feature is still in preview it is highly suggested not to use it for production. The product may change by the time it goes GA and this could break your production site.

@mercurjl any update on this?

@MicahMcKittrick-MSFT Yep I've made some headway. Sorry I don't have a specific link to documentation I was referring too, it was more of a lack thereof. I ended up following this blog post: https://blog.headforcloud.com/2018/07/29/static-hosting-headers/ and went down this path to get the headers working. Essentially using a Function App proxy to add the headers.

It does work if I point the Function App proxy directly to the $web storage blob but not when pointed to a CDN the refers to that same blob. This is the issue I'm working through now.

@MicahMcKittrick-MSFT it seems like the original feature request is related to Azure Storage static websites. Since Azure Functions proxies seems like a workaround, we should assign this to Storage instead.

Update on this if any other devs stumble upon this. I managed to get the CDN working by using the PUBLIC_URL environment variable in a .env file. I made the PUBLIC_URL the url of the $web storage container where the build files were being pushed out to.

@mercurjl - Thanks for your feedback. We have this work in our backlog and will address it soon.

please-close

@tamram - Do you have an update on this yet?

Kindly let me know. We are hosting a production grade website on Azure Storage and have a Azure CDN serve it. We need to be able to set/un-set certain security specific headers, and are stuck at this point.

Hey @roysudi I managed to get the specific http headers I needed by using an azure proxy. This article talks about it a bit: https://blog.headforcloud.com/2018/07/29/static-hosting-headers/.

So the end product will be:

Domain (www.mywebsite.com) -> Azure Proxy URL (azurefunctionname.azurewebsite.com/net) -> CDN (azurecdnname.azureedge.net) -> storage account (storageaccountname.z20.blah.net)

Hey @roysudi I managed to get the specific http headers I needed by using an azure proxy. This article talks about it a bit: https://blog.headforcloud.com/2018/07/29/static-hosting-headers/.

So the end product will be:

Domain (www.mywebsite.com) -> Azure Proxy URL (azurefunctionname.azurewebsite.com/net) -> CDN (azurecdnname.azureedge.net) -> storage account (storageaccountname.z20.blah.net)

Thank you @mercurjl . Yes that is definitely a viable path! However that adds an additional n/w hop too (CDN -> Proxy -> $web), which is sorta buzzkill. I think Team Azure should come up with a defined strategy for static websites and how they should be served.

reassign: @normesta

Sounds like some decent workarounds! Yes, there's no way to configure headers as part of the static website feature. However, you can use Azure CDN to add headers and append (or overwrite) header values. You'd set up rules with actions in them. Here's a link - Standard rules engine reference for Azure CDN. I added this to the content to help any others who stumble upon this. Thank you for raising!

please-close

Sounds like some decent workarounds! Yes, there's no way to configure headers as part of the static website feature. However, you can use Azure CDN to add headers and append (or overwrite) header values. You'd set up rules with actions in them. Here's a link - Standard rules engine reference for Azure CDN. I added this to the content to help any others who stumble upon this. Thank you for raising!

Dear @normesta, yes we do have headers setup at CDN(Verizon Premium) level. However, it has limitations. Such as not giving ability to remove the ‘Server’ header. This causes our application to be flagged unnecessarily.
Thoughts?

Hi @roysudi - I'm not too familiar with Azure CDN, but if you're using Verizon Premium, try this section - https://docs.microsoft.com/en-us/azure/cdn/cdn-verizon-premium-rules-engine-reference-features#header-features . Looks like there is a headers feature that you can use to modify request and response headers (including the ability to delete them). Perhaps this will work?

Hi @normesta, thanks for getting back so quick!
Indeed there is and we do use the feature. However, they don’t let you set/unset certain headers, “Server” response header being one of them. Since the server info shows up if you don’t remove it, the app becomes vulnerable to “banner grabbing”

Sounds like some decent workarounds! Yes, there's no way to configure headers as part of the static website feature. However, you can use Azure CDN to add headers and append (or overwrite) header values. You'd set up rules with actions in them. Here's a link - Standard rules engine reference for Azure CDN. I added this to the content to help any others who stumble upon this. Thank you for raising!

Hi @normesta ,
The rules engine on Microsoft Standard CDN is limited to 3 actions per rule, so it is too limited to be used for setting all the most necessary headers (atm I would need to add a total of 7 headers). Is there any other options?