Azure · Cloudintermediate
Azure Static Web Apps — staticwebapp.config.json
The staticwebapp.config.json that controls routing, role-based authorization, custom auth, fallback for client-side routers, and response overrides for an Azure Static Web App.
azurestatic-web-appsroutingauthspa
Preview
{
"routes": [
{
"route": "/admin/*",
"allowedRoles": [
"administrator"
]
},
{
"route": "/api/*",
"allowedRoles": [
"authenticated"
]
},
{
"route": "/login",
"rewrite": "/.auth/login/aad"
},
{
"route": "/logout",
"redirect": "/.auth/logout"
},
{
"route": "/old-path",
"redirect": "/new-path",
"statusCode": 301
}
],
"navigationFallback": {
"rewrite": "/index.html",
"exclude": [
"/images/*.{png,jpg,gif}",
"/css/*",
"/js/*"
]
},
"responseOverrides": {
"401": {
"redirect": "/login",
"statusCode": 302
},
"403": {
"rewrite": "/403.html"
},
"404": {
"rewrite": "/404.html"
}
},
"globalHeaders": {
"X-Content-Type-Options": "nosniff",
"Content-Security-Policy": "default-src 'self'; img-src 'self' data:"
},
"mimeTypes": {
".json": "application/json",
".webmanifest": "application/manifest+json"
}
}AI actions
Documentation
Purpose
Configure the edge behavior of an Azure Static Web App: which routes need which roles, how unmatched routes fall back to the SPA shell, and how errors are handled.
When to use
Deploying a single-page app (React/Vue/Angular) to Azure Static Web Apps that needs client-side routing, protected sections, or custom auth providers.
Required fields
- routes — per-path rules for auth, redirects and rewrites
- navigationFallback — the SPA fallback for unmatched navigation requests
Optional fields
- responseOverrides — custom pages for 401/403/404 responses
- auth — custom identity provider registrations
- globalHeaders — headers applied to every response
- mimeTypes — extension-to-content-type mappings
Best practices
- Exclude static assets from navigationFallback so images and JS are served directly.
- Gate protected routes with allowedRoles rather than checking auth in client code alone.
- Set security headers (CSP, X-Content-Type-Options) in globalHeaders.
Security considerations
- Do not place client secrets in this file; auth provider secrets go in application settings.
- Return 404 (not 403) for protected admin routes to avoid revealing their existence.
- Keep a strict Content-Security-Policy to limit XSS blast radius.