Azure Webapp Website on Linux with Kestrel not picking up Web.config changes

Question

I have react application hosted on the Azure Webapp website on Linux. It Uses the kestrel as the web server. I want to add Security Headers to the webapp. But the Web.config file i added for this is not showing changes.

I tried the same by created the another web-app on the Azure Windows Webapp and updated the Web.config file as following as security headers gets added.

But in case of Azure Linux Webapp this file is not working.

Web.config file i am using.

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>  
    <system.web>
        <httpRuntime enableVersionHeader="false" />
    </system.web>
    <system.webServer>        
        <!-- START x-xss protection -->
        <httpProtocol>
            <customHeaders>
                    <!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 -->
                  <add name="X-Frame-Options" value="SAMEORIGIN" />
                  <!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet -->
                  <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
                  <!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
                  <add name="X-XSS-Protection" value="1; mode=block" />
                  <!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
                  <add name="X-Content-Type-Options" value="nosniff" />
                  <!-- CSP modern XSS directive-based defence, used since 2014. ref.: http://content-security-policy.com/ -->
                  <add name="Content-Security-Policy" value="default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" />
                  <!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
                  <add name="Referrer-Policy" value="strict-origin" />
                  <add name="Feature-Policy" value="accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" />
                  <remove name="X-Powered-By" />                          
            </customHeaders>
        </httpProtocol>
        <!-- END x-xss protection -->
        <rewrite>
            <rules>
                <!-- BEGIN rule TAG FOR HTTPS REDIRECT -->
                <rule name="Force HTTPS" enabled="true">
                  <match url="(.*)" ignoreCase="false" />
                  <conditions>
                    <add input="{HTTPS}" pattern="off" />
                  </conditions>
                  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
                </rule>
                <!-- END rule TAG FOR HTTPS REDIRECT -->       
            </rules>
            <outboundRules>
            <rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true">
              <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
              <conditions>
                <add input="{HTTPS}" pattern="on" ignoreCase="true" />
              </conditions>
              <action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
            </rule>
            <rule name="CSP">
              <match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" />
            </rule>
            </outboundRules>
        </rewrite>        
    </system.webServer>
</configuration>

Answer 1

On Linux WebApp you have to use .htaccess config, which is bit different than Web.config, but allows you to setup similar settings. Web.config is used only in IIS/Windows based environments.