I'm trying to stop MS Azure responding with the header/value of Server: HTTPAPI/2.0 on receipt of an invalid request, for example an invalid hostname.
I've seen this SO entry...
Removing Server and X-Powered-By HTTP Headers on Azure Web Site Preview
..and one answer suggests that the only way to get around this is to host the website on an Azure VM, something I'd much rather avoid.
It's 3.5 years on from that question/answer - does anyone know if it can now be suppressed in a WebApp solution
According the description at Remove standard server headers in Azure Web Sites:
HTTP headers are part of the communication process between web servers and browsers, and are included in the request and response. One example is the server header, which lists the product name and version of the web server (e.g., Microsoft-IIS/8.0). All web servers generate these headers, but now you can disable them on Azure Web Sites.
You can try to modify or create a new web.config in the root directory of your application on Azure Web Apps, with following content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
Please refer to https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/ for more info.
To remove the MVC header, add this in Global.asax - Application Start event:
MvcHandler.DisableMvcResponseHeader = true;
Using this will remove the version headers,
<httpRuntime enableVersionHeader="false" />
Related
We have an Angular web application running on Azure. The backend is Dot Net Core 3.1. The Authentication is done through Azure AD. What is happening is the following steps
User logs into the web site and navigates to a page. Everything is working as expected
The user logs out, but does not close the tab. The Logout screen is shown as expected
The user opens a new tab and navigates to the web site
The user is NOT prompted for a login and when the user navigates to page they get error
Access to XMLHttpRequest at 'https://login.microsoftonline.com/2aa666ca-a53c-4274-bfcc-41b83867d22a/oauth2/authorize?client_id=794424bb-0ad2-41f8-b007-b71ed576b793&redirect_uri=https%3A%2F%2Fmydomain.azurewebsites.net%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=637782164067215548.NzQ4MWQxNjgtYjdlZS00OTlmLWIwYzctM2NhZWRkZjdhMTZiYzdmNjljOTEtNTk3OS00NDlhLWEzZjgtODZkN2YyZDZmYzlh&state=CfDJ8IE9b1M0cDdJqtQPg1_KxRR0vlYAN1zOfKzhpzhdzqvcX_XGygV8nincOzoVYDPPyZWnbh5SrGMDZhQfmUDlO4wQ41v_7Q_gJCUHftetejZZQZTS7Uhn-IVBRysh36hvldRY2pxcZBKCQHLYkKMnR2my9R0TqsaqEAI4gGNUUHwa8fJnv4xj0lkMJq_DORhJS4AwLMhtQWGvuIp0gzQ_cGR0gjGZvMRMTaBZunGBDexThOzzbAyQJTCJuNxUUB_tvAm0cFEVWb3lTPYRgk1ARnagmg7a6GDFrCnXT7vT_3VJjUyMzrazbt1xeRtrs1AdlUIX1fnnFsGZPGUBA3kYvzTyEgVkm97FGBTPgeGZAP3W&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0' (redirected from 'https://mydomain.azurewebsites.net/api/profileTypes?_=1642619606751') from origin 'https://mydomain.azurewebsites.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
If the user refreshes the page, then they are forced to login and everything begins working again
I have tried adding in CORS as directed on other questions and other websites as follows
In the ConfigureService function of the startup.cs The following code is present
services.AddCors(o => o.AddPolicy("CorsPolicy", builder =>
{
builder
.WithOrigins(new[] { "http://YOUR_FRONTEND_ORIGIN" })
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
}));
In the Configure function of the startup.cs is the following code
app.UseCors("CorsPolicy");
I am confused as to why CORs would even come into play as everything is on the same Azure subscription, but I added the above code and it does not change anything. Searching the internet give mainly the same or similar implementations as above.
I am not sure how to proceed or even what questions to ask, so any help would be appreciated
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism which basically allows server to indicate any origins other than its original url or scheme or domain or port .But cors settings may also vary from different browsers which may cause this error.
In case of Azure App Service it sets “AppServiceAuthSession” cookie for authenticated session with browser. The web application may use XMLHttpRequest / AJAX request inside the app and the request sent may contain the AppServiceAuthSession cookie. When this cookie is still present in the browser and the web page pointing to the page of app may not be the original url and which might be the possible cause of error.When this cookie is not present in the request, Azure App Service will redirect the request to Azure AD for login that is why when you referesh it, it works.
If the browser is enabled with cors ,it makes a pre-flight cors check to the specified url and gets the access-control-allow-origin headers, we can modify this headers accordingly,if origin restriction is not required.
Try to insert the http protocol present in the asp.net Web Api backend, in the Web.config between the <system.webServer> </ system.webServer> tags,
Example:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
</system.webServer>
and you can try enable access to all origins from browser settings .
Please check this reference access to xmlhttprequest has been blocked by cors policy Code Example (codegrepper.com) if you can enable credentails to true and by using cors variable to use in app.use(cors).
References:
Cross-origin XMLHttpRequest - Chrome Developers
express - Angular CORS request blocked - Stack Overflow
I have website that is Hosted in a Azure App Service. are there any options in azure so that I can put a password on the website. Ideally without changing the websites code.
Just a basic password or user name and password, doesn't need to be google or facebook login or AD login.
It is a .net based website and I have seen a few options to do this, but it means I have to change the code of the website in someway or another.
Surely with all that sophisticated cloud technology, I can go in to the portal and set a password at a server level? - Or is the only way to make some kind of change to the application?
It is possible to enable Basic Authentication for Azure Web Apps with some settings in the applicationHost.xdt. You can load some modules in this file on the start of your Web App.
Steps:
Navigate to your WebApp in the Azure Portal
In the left menu, search for the header Development Tools an select Advanced Tools (Kudu)
Use the Debug Console > CMD tool, to navigate to the WebApp directory: \home\site
Create a file named: applicationHost.xdt
Paste the following:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Locator="Match(path)">
<system.webServer>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="RESPONSE_WWW_AUTHENTICATE" xdt:Locator="Match(name)" xdt:Transform="InsertIfMissing" />
</allowedServerVariables>
<rules xdt:Transform="InsertIfMissing">
<rule name="BasicAuthentication" stopProcessing="true" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)">
<match url=".*" />
<conditions>
<add input="{HTTP_AUTHORIZATION}" pattern="^Basic dXNlcjpwYXNzd29yZA==" ignoreCase="false" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="Unauthorized" statusDescription="Unauthorized" />
<serverVariables>
<set name="RESPONSE_WWW_AUTHENTICATE" value="Basic realm=Project" />
</serverVariables>
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
Change the Basic Auth to your liking (default in example is: user:password)
Make sure the web.config rewrite rules don't contain <clear /> as this wil remove the effects from the applicationHost.xdt file
Save the file and Stop and Start your WebApp (a simple Restart will not suffice)
Notes:
Not sure if this works on Linux based WebApps..
You can add this step to you're deployment pipelines by using FTP
Update: I've noticed issues with applicationHost.xdt while using it on secondary Web App slots. Only the primary slot seems to work.
PS: Cross-post from my answer here.
You can use Authentication and authorization in Azure App Service.
Authentication/Authorization was previously known as Easy Auth.
Azure App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions. This article describes how App Service helps simplify authentication and authorization for your app.
Source: Authentication and authorization in Azure App Service and Azure Functions.
EDIT:
The above is a solution to have a password protected App Service without changing any code whatsoever. At this point there is no alternative, as you can see in the open feedback issue Allow HTTP Basic authentication on basic apps
Hi everyone, we understand the demand for this feature, but we do not plan to support authentication at this level. We suggest using EasyAuth for this scenario.
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
EDIT 2:
This method forces the user to use google or facebook, etc...
This is not true. You can also create a user in your Azure Active Directory and use that one with Easy Auth. The username would be something like username#<YOUR-TENANT>.onmicrosoft.com
It appears that when deploying an web app as an Azure API App, it adds an extra Access-Control-Allow-Origin: * header to the response. How can I override and remove this?
My project uses SignalR and OWIN, when I add or change the Access-Control-Allow-Origin through the requests or setup in my own code, I get to specify another Access-Control-Allow-Origin header property, but the additional wildcard (*) header is always added as well.
This makes my requests to SignalR fail, as it includes authentication header which is not allowed when origin is *.
API Apps are hosted behind the "API app host", I presume that is the origin of this additional header. Is there any way I can modify this behavior?
Note: the additional header is NOT present when deployed as a regular Azure Web App.
this may be because you have the MS_CrossDomainOrigins app setting set in addition to having CORS enabled in your backend. If so, please remove one or the other.
Thanks.
Watch out do not have set up in your web.config something like this:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
Delete it if it exists.
I am implementing ServiceStack side-by-side with a MVC application. My main application uses form authentication which is configured in my web.config. When the authentication of fails, I don't get the 401 UnAuthorized as I expect I should. (reference: https://stackoverflow.com/a/13073251/743752)
I have added HtmlRedirect = null to my AuthFeature but this did not work. My request are returning with what is my login page. ~/Login?ReturnUrl=%2fapi%2fauth%2fcredentials
Im sending my payload as POST with content-type: application/json
Is there another way of disabling redirects on failed login?
Are you using FormsAuthentication and ServiceStack Authentication in the same application? I think MVC is doing the redirect (not ServiceStack) because you have the <authentication> element in your web.config...probably something like...
<authentication mode="Forms">
<forms loginUrl="~/Login" />
</authentication>
If you don't need FormsAuthentication you can remove this <authentication> element from you web.config file.
I have added the following configuration section to my web.config file
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
But when I call the *.asmx web service, I still got the following error:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
I am using the IIS7.5 ASP.NET integrated mode.
Any clues? I just found the IIS Authenticatino is very poor and unstable.
Thanks!
It turns out that we need to grant NTFS permission to target folder for the Anonymous Authentication Authenticated As identity, besides enable Anonymous Authentication in IIS.
Windows Authentication happens in both IIS and NTFS file system. I always forget the latter one. I will cut my dummy brain.