You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/static-web-apps/configuration.md
+8-3Lines changed: 8 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: static-web-apps
5
5
author: craigshoemaker
6
6
ms.service: static-web-apps
7
7
ms.topic: conceptual
8
-
ms.date: 12/30/2021
8
+
ms.date: 02/03/2022
9
9
ms.author: cshoe
10
10
---
11
11
@@ -137,10 +137,13 @@ Common uses cases for wildcard routes include:
137
137
- Enforcing authentication and authorization rules
138
138
- Implementing specialized caching rules
139
139
140
-
### Securing routes with roles
140
+
### <aname="securing-routes-with-roles"></a>Securing routes with roles
141
141
142
142
Routes are secured by adding one or more role names into a rule's `allowedRoles` array. See the [example configuration file](#example-configuration-file) for usage examples.
143
143
144
+
> [!IMPORTANT]
145
+
> Routing rules can only secure HTTP requests to routes that are served from Static Web Apps. Many front-end frameworks use client-side routing that modifies routes in the browser without issuing requests to Static Web Apps. Routing rules don't secure client-side routes. Clients should call [HTTP APIs](apis.md) to retrieve sensitive data. Ensure APIs validate a [user's identity](user-information.md) before returning data.
146
+
144
147
By default, every user belongs to the built-in `anonymous` role, and all logged-in users are members of the `authenticated` role. Optionally, users are associated to custom roles via [invitations](./authentication-authorization.md).
145
148
146
149
For instance, to restrict a route to only authenticated users, add the built-in `authenticated` role to the `allowedRoles` array.
@@ -316,7 +319,9 @@ In addition to IP address blocks, you can also specify [service tags](../virtual
316
319
*[Default authentication providers](authentication-authorization.md#login), don't require settings in the configuration file.
317
320
*[Custom authentication providers](authentication-custom.md) use the `auth` section of the settings file.
318
321
319
-
## Disable cache for authenticated paths
322
+
For details on how to restrict routes to authenticated users, see [Securing routes with roles](#securing-routes-with-roles).
323
+
324
+
### Disable cache for authenticated paths
320
325
321
326
If you have enabled [enterprise-grade edge](enterprise-edge.md), or set up [manual integration with Azure Front Door](front-door-manual.md), you may want to disable caching for your secured routes.
0 commit comments