javascriptazurehttpsecurity

Azure blocks POST requests from User-Agent Mozilla/5.0 to App Service


I have an Azure App Service with a mandatory Authentication based on the Azure Active Directory. It is serving an API server and a webapp calling the server.

All the GET work perfectly, however the POST all get rejected with 403 Forbidden. The Cookies are properly set to pass the authentication check.

Oddly enough, when I replayed the POST with Postman, they succeeded. I could narrow down the difference that lead to rejection:

Whenever the User-Agent header is Mozilla/5.0

Why is there such a mechanism in Azure ? How to deactivate it ?


Solution

  • After digging in the suggestion, I could verify that it was not a CORS issue neither precisely a User-Agent to change.

    Actually Chrome browser does not support User-Agent update as of 2022-06-06, so this option cannot be chosen.

    The solution idea came from https://github.com/Azure/azure-functions-host/issues/1602#issuecomment-309532954

    And to focus on the fix, in App Service / Authentication:

    1. Authentication settings (Edit)
    2. Allowed external redirect URLs: Add https://{name}.azurewebsites.net

    step-by-step azure setting

    After this, POST requests worked.