|
| 1 | +--- |
| 2 | +title: Use header rewrite to add HSTS header in portal - Azure Application Gateway |
| 3 | +description: Learn how to use the Azure portal to configure an Azure Application Gateway to rewrite the HTTP header in the requests and responses passing through the gateway |
| 4 | +services: application-gateway |
| 5 | +author: reyjordi |
| 6 | +ms.service: azure-application-gateway |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 10/09/2024 |
| 9 | +ms.author: reyjordi |
| 10 | +ms.custom: mvc |
| 11 | +--- |
| 12 | +# Add HSTS headers with Azure Application Gateway - Azure portal |
| 13 | + |
| 14 | +This article describes how to use the Azure portal to configure an [Application Gateway v2 SKU](./application-gateway-autoscaling-zone-redundant.md) instance to rewrite HSTS headers to better secure traffic to your application through HSTS policy. |
| 15 | + |
| 16 | +HSTS policy helps protect your sites against man-in-the-middle attacks. When redirecting HTTP traffic to HTTPS, a man-in-the-middle attack can incercept the initial HTTP request and exploit visitors through the non-encrypted version of the site. Adding the HTTP Strict Transport Security header ensures that a user will always connect with HTTPS instead of HTTP. |
| 17 | + |
| 18 | +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
| 19 | + |
| 20 | +## Before you begin |
| 21 | + |
| 22 | +You need to have an Application Gateway v2 SKU instance to complete the steps in this article. Rewriting headers isn't supported in the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](./tutorial-autoscale-ps.md) instance before you begin. |
| 23 | + |
| 24 | +## Sign in to Azure |
| 25 | + |
| 26 | +Sign in to the [Azure portal](https://portal.azure.com/) with your Azure account. |
| 27 | + |
| 28 | +## Create required objects |
| 29 | + |
| 30 | +To configure HSTS policy, you must first complete these steps: |
| 31 | + |
| 32 | +1. Create the objects that are required for adding an HSTS header: |
| 33 | + |
| 34 | + - **HTTP Listener**: Create a basic or multisite HTTP listener. This listener must listen on port 80, and the protocol must be set to HTTP. |
| 35 | + |
| 36 | + - **HTTPS Listener**: Create a basic or multisite HTTPS listener. This listener must listen on port 443, have the protocol set to HTTPS, and contain a certificate. |
| 37 | + |
| 38 | +2. Create a routing rule that redirects all the traffic from the HTTP listener to the HTTPS listener. |
| 39 | + |
| 40 | +To learn more about how to set up http to https redirection, see [HTTP to HTTPS Redirection](./redirect-http-to-https-portal.md). |
| 41 | + |
| 42 | +## Configure HSTS policy |
| 43 | + |
| 44 | +In this example, we will add the Strict Transport Security (STS) response header, using the rewrite rules of application gateway. |
| 45 | + |
| 46 | +1. Select **All resources**, and then select your application gateway. |
| 47 | + |
| 48 | +2. Select **Rewrites** in the left pane. |
| 49 | + |
| 50 | +3. Select **Rewrite set**: |
| 51 | + |
| 52 | + :::image type="content" source="./media/hsts-http-headers-portal/add-rewrite-set.png" alt-text="Add rewrite set."::: |
| 53 | + |
| 54 | +4. Provide a name for the rewrite set and associate it with a routing rule: |
| 55 | + |
| 56 | + - Enter the name for the rewrite set in the **Name** box. |
| 57 | + - Select one or more of the rules listed in the **Associated routing rules** list. You can select only rules that haven't been associated with other rewrite sets. The rules that have already been associated with other rewrite sets are dimmed. |
| 58 | + - Select **Next**. |
| 59 | + |
| 60 | + :::image type="content" source="./media/hsts-http-headers-portal/name-and-association.png" alt-text="Name and Association."::: |
| 61 | + |
| 62 | +5. Create a rewrite rule: |
| 63 | + |
| 64 | + - Select **Add rewrite rule**. |
| 65 | + |
| 66 | + :::image type="content" source="./media/hsts-http-headers-portal/add-rewrite-rule.png" alt-text="Add Rewrite Rule."::: |
| 67 | + |
| 68 | + - Enter a name for the rewrite rule in the **Rewrite rule name** box. Enter a number in the **Rule sequence** box. |
| 69 | + |
| 70 | + :::image type="content" source="./media/hsts-http-headers-portal/rule-name.png" alt-text="Add Rewrite Rule Name."::: |
| 71 | + |
| 72 | +6. Add an action to rewrite the response header: |
| 73 | + |
| 74 | + - In the **Action type** list, select **Set**. |
| 75 | + |
| 76 | + - In the **Header type** list, select **Response**. |
| 77 | + |
| 78 | + - Under **Header name**, select **Common header**. |
| 79 | + |
| 80 | + - In the **Common header** list, select **Strict-Transport-Security**. |
| 81 | + |
| 82 | + - Enter the header value. In this example, we'll use `max-age=31536000; includeSubdomains; preload` as the header value. |
| 83 | + |
| 84 | + - Select **OK**. |
| 85 | + |
| 86 | + :::image type="content" source="./media/hsts-http-headers-portal/action.png" alt-text="Add an Action."::: |
| 87 | + |
| 88 | +7. Select **Create** to create the rewrite set: |
| 89 | + |
| 90 | + :::image type="content" source="./media/hsts-http-headers-portal/create-rewrite-set.png" alt-text="Select Create."::: |
| 91 | + |
| 92 | +## Limitations and Recommendations |
| 93 | + |
| 94 | + - In order to maximize security, you must show HSTS policy as soon as possible when users begin an HTTPS session. In order to enforce HTTPS for a given domain, the browser only needs to observe the STS header once. Hence, it should be added to home pages and critical pages of a site. However, that is not sufficient, it is best practice to cover as much of the URL space as possible and prioritize non-cacheable content. |
| 95 | + |
| 96 | + - In this example, the response header Strict Transport Security is set to `max-age=31536000; includeSubdomains; preload`. However, users can also set the header to equal `max-age=31536000; includeSubdomains`, removing the preload. Preloading helps strengthen HSTS by ensuring clients always access the site using HTTPS, even if it is their first time accessing it. You must submit your domain and subdomains to https://hstspreload.org/ in order to ensure that users will never access the site using HTTP. Although the preload list is hosted by Google, all major browsers use this list. |
| 97 | + |
| 98 | + - HSTS Policy will not prevent attacks against TLS itself or attacks on the servers. |
| 99 | + |
| 100 | +## Next steps |
| 101 | + |
| 102 | +To learn more about directives, please visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security |
| 103 | + |
| 104 | +To learn more about how to set up some common header rewrite use cases, see [common header rewrite scenarios](./rewrite-http-headers-url.md). |
0 commit comments