This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 17%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWT%3C/text%3E%3C/svg%3E)
I have created an Azure app and use a custom domain to access it. However, when putting the URL through our cyber security process, it came back that the CSP and HSTS needs to be updated. I cannot find where in Azure to update the security headers. Where can I update the CSP and HSTS for my app?
Hello Wilson, TaRan (Avison Young - US)
HSTS can be enabled in multiple ways: API Management - https://video2.skills-academy.com/en-us/answers/questions/845443/add-hsts-to-an-azure-api-management-service
App Gateway - https://techcommunity.microsoft.com/t5/azure/azure-application-gateway-app-service-secure-headers/m-p/2231277
App Service with Docker Containers - https://azureaggregator.wordpress.com/2022/10/31/adding-hsts-header-in-the-nginx-based-app-service/
Also If you want to follow best security practices and implement Strict Transport Security and Secure Headers in your Azure App Service you will need to add Security Headers in web.config or htaccess files in your web application’s root folder. https://itgala.xyz/implementing-security-headers-in-azure-app-service/