Azure Storage Static Website security issues - azure

I am working in an Azure Storage Static Website. This website is publicly available and is intended to perform operations against Azure Storage (manage multimedia - crud actions). I am afraid that since it is a client-side app, anybody can use the code to perform unintended operations against the storage account. Any thoughts how can i protect the app against this? Also i am looking for a solution to avoid hardcoded keys/SAS tokens to have permission for the operations against the storage account. I was thinking about using the managed service identity. Anyone had experience with it, since it is in preview mode?

You should definitely not put keys or SAS tokens client-side. As you say, anybody can obtain this and get access to the storage account. One solution is to use an HTTP-triggered serverless function to generate a SAS token as needed. Then you can issue a time-limited SAS to only the resources you want to be publicly accessible. The below tutorial shows how to do this.
https://learn.microsoft.com/en-us/azure/functions/tutorial-static-website-serverless-api-with-database

The static website endpoint is strictly read only. So the client will not be able to change the content of the website.
Currently static website is anonymous access. "add oauth" will be added soon. For read access, once the site is enabled, it'll be available to all public.
Currently we don't have oauth support. Anybody can read the content of the website as long as they have the uri

Related

Using shared access signatures in Xamarin with Azure

I am working on an app developed using Xamarin Forms. The app connects to a container on Azure to read a couple of text files. The text files don't contain any confidential or secret information, just some publicly available information that the app uses.
I am able to connect to the storage container and read the blob without issue however I am readying the app for release to the App store and Google Play store so was following this guide around using Shared Access Keys to connect to Azure.
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
To be honest, I am a bit confused as to which approach I should use. The app itself will be connecting to the container and reading the blob, so it won't be an actual "user" as such like joeB, or JaneB. That makes me think a user delegated SAS is not the way to go, although the documentation seems to suggest this is the most secure option.
I also noticed the user delegated sas token itself expires after a period of time and the app started crashing when trying to autheticate/connect. I am not sure if that is also the case with a service SAS and account SAS.
Basically, for my use case (an app reading a text file in a container in Azure), which is the best option for me to use based on those listed in the link above? Has anyone else done something similar? If so, how did you secure your connection string?
Thanks!

Azure CDN Verizon Premium Hidden SAS token GET method Error 403

I have pretty simple question.
Our company is using Azure CDN Premium Verizon (because of options of Rules Engine).
I have succesfully configured Endpoint with custom domain which is pointed to Origin Azure Blob Storage.
In this blob storage we have some Containers secured as Private.
I have followed instructions on Microsoft website to configure Hidden SAS token Authentication with URL Rewrite Rule.
The CDN point called cdn.company.com is working pretty nice. The content stored in Private Blob Storage is view-able in any internet browser (Chrome, IE, Edge..) via CDN point and also with hidden SAS token Rule.
The problem is that our API of internet application is trying to call CDN endpoint via GET method. And thats it. Everytime an error 403 has been occured. I dont really know how to fix that.
I am attaching screenshot from rule engine down below.
Thank you for every ideas.
In screenshots I am trying to get content via GET method of some JavaScript stored in private container "jsc".
Solved... In the end it was problem with regex syntax. The second problem was that our API of the Internet Application generated a random pattern automatically.
So I used regex like
/80XXXXX/XXXXXXX/([\w-.]+[^#?\s]+)(.*)?(#[\w-]+)?$
and now everything works properly.

azure storage public website control access by azure domain controller

I setup a static web site in azue storage, is it possible to control who have access to that website, I have read a couple of question here but I can't get my head around it.
let's say, I work in company new_KFC, all I want is only user1#new_KFC.com user2#new_KFC.com get access, all other user when they try to access the website, get error
we are already using azure active directory
Static websites are public access only. However, you can can build a separate authentication layer that protects your data through AAD Authentication using ADAL and Storage JS libraries. See a demo of a similar SPA from the last //build session:
https://channel9.msdn.com/Events/Build/2018/BRK3313
Please also provide your feedback here: https://feedback.azure.com/forums/217298-storage/suggestions/36453091-enable-authorization-to-the-azure-static-websites so that we understand your feedback/demand for this feature.
Thanks,
Aung Oo
Azure Storage PM Team

Are there any examples of Authenticating a User against Windows Azure Rest API without certificates

According to the releases a few day ago by Scottgu, its now possible to use the windows azure management api without client certificates.
Are there any examples of doing this?
I have a Azure Cloud Service Package that I would like to let people deploy from my website. Therefore I would like to, from javascript, to authenticate the user to their Azure subscription ( some oauth against the WAAD ) and then by rest api deploy my package for them.
I dont need a concrete examples, but just some pointers on how I could do this.
I dont want users to give me their passwords offcause, therefore i need some guidance on how I can do SSO of the user against WAAD/Windows Azure management api and from there use the access token to deploy the package.
As of today, the Service Management API documentation regarding this new authentication mechanism (http://msdn.microsoft.com/en-us/library/windowsazure/ee460782.aspx) is not updated. Since the new login mechanism is supported in PowerShell which is essentially a REST Wrapper over this API and is open source, one thing you could do is take a look at the source code of the Cmdlets on Github (https://github.com/WindowsAzure/azure-sdk-tools) to see how it is accomplished there and write something of your own (and share it here:)).

How to host html application on Azure

I have a single page html application, that uses a lot of jQuery. The app content (data as xml and media audio/video/image) is (and has to be) provided by blobs on azure account. I don't need any application server.
What is the recommended way to host such single page html application on Windows Azure Environment (Azure is a requirement).
As I do not need any application server, all application files are currently uploaded into single container as Blobs with appropriate content types. It all works very good.
Still, I've seen that Azure has some website hosting capabilities I've been wondering if what I did is appropriate?
Thanks
Windows Azure Web Sites would work well and could be free for the duration. If the constraints of the free offering don't work for you, you can scale out easily.
You could also store your home page in Azure blob storage, but that means users would have to have the full path to it as there's no server configuration to specify a default page. Publicizing your site endpoint via a vanity URL from bit.ly or the like could make that a non-issue though.
Do note though, that by having everything in blob storage, you're incurring a transaction cost for every image, every page, every script access (that's not cached on the browser that is). Depending on the nature of your site and traffic, it could be more cost-effective to leverage something like Windows Azure Web Site for some of this.

Resources