How to forward access-control-allow-origin header from a Web App to a Front Door?

Question

I currently have a web app running in containers with the access-control-allow-origin header correctly configured on it. However, when I check the front door in front of this web app, the same header has the option '*' -- accepting all types of requests, differently from the configured one.

How do I get the front door to propagate this web app header?

Answer 1

Here is the official document about this: Azure Front Door Rule Set

On Azure Front Door, you can create a rule in the Azure Front Door Rules Set to check the Origin header on the request. If it's a valid origin, your rule will set the Access-Control-Allow-Origin header with the correct value. In this case, the Access-Control-Allow-Origin header from the file's origin server is ignored and the AFD's rules engine completely manages the allowed CORS origins.

Answer 2

Doris lv's previous answer is correct but I would also like to point out some things:

• Be careful not to add the slash (/) at the end of the URL -- I had that added that's why didn't work:

• After creating the rule, go to Front Door designer (FDD) and link this new rule with some of the routing rules available

• Also in FDD, click on the Purge button clean the previous cache and load the new configurations

Another important thing is that I had to do this configuration due to HDCL AppScan saying that the Access-Control-Allow-Origin header was too permissive; that being said, the scan pointed that the Java Scripts files had this problem which they didn't, only the CSS and TFF files had this header. A closer look at the scan report pointed out that what's was going on is that the Vary header had the value Origin in it, making the scan report a Cross-Origin Resource Sharing (CORS) issue. To fix this just add a new rule in the Rule engine configuration removing this header just like shown:

After this, the scan didn't report any more issues