Locking down my blogs FrontDoor

It has been a while since I updated my blog. So I figured it was time to do some maintenance. Upgrading Hugo to the latest version, adding a few HTML tweaks for things that bothered me and most importantly, locking down the front door of my blog. After reading Easily adding Security Headers to your ASP.NET Core web app and getting an A grade by Scott Hanselman, I decided to take a look at my own blog and see how I could improve the security headers.

Static Sites

Static sites are great for performance and simplicity, and since it is just HTML I did not bother to much about the security headers at the time of deployment, but given the fact that I am using Azure Front Door, I can easily add security headers to my blog.

You can check your own site using SecurityHeaders.com and see what headers are missing. Now I am not here to argue that you should always score an A+ on the test, but since I already was behind an Azure Front Door setting it up was super easy.

Front Door Configuration and Security Headers

Within Azure Front Door you can configure your endpoint with rules. These rules can be used to change various settings including adding security headers. I created two rules, given that there is a limit of the ammount of configuration you can do within a single rule, I decided to split them up.

The first rule always add caching and sets the first three security headers, the second rule adds the rest of the security headers. The rules are as follows:

As you can see I added the following headers based on the recommendations from SecurityHeaders.com:

You can find a more detailed explanation of all the headers at the OWASP site. With the easy of setting the headers using Azure Front Door, I was able to get an A+ score on SecurityHeaders.com within just an hour worth of reading and configuring, so I can recommnend you to do the same!