Web Static Web Apps complete field-manual-complete field-manual-complete

Static Web Apps route rule

A Static Web Apps route rule is an instruction for what should happen when someone requests a particular path. It can protect a route, redirect an old URL, rewrite a request, return a specific status, or support single-page application behavior. Route rules live in staticwebapp.config.json, so they are usually reviewed and deployed with the code. They are not just navigation settings; they decide how the hosted site responds to real user requests. A small route-rule mistake can expose, block, or misroute important pages.

Back to glossary browser Open Microsoft Learn source
Aliases
static-web-apps-route-rule, Static Web Apps route rule, SWA route rule, staticwebapp.config.json route, Static Web Apps routes, route authorization rule
Difficulty
intermediate
CLI mappings
5
Last verified
2026-05-25

Microsoft Learn

Microsoft Learn describes Static Web Apps route rules as entries in staticwebapp.config.json that define routing behavior. A rule can target paths, require roles, rewrite or redirect requests, set status codes, and shape how the Static Web Apps runtime handles matching browser or API requests.

Microsoft Learn: Configure Azure Static Web Apps2026-05-25

Technical context

Technically, route rules are evaluated by the Azure Static Web Apps runtime as part of request handling. They sit inside staticwebapp.config.json and interact with authentication, authorization roles, navigation fallback, response overrides, headers, APIs, and static assets. A route can match public pages, protected dashboard paths, legacy redirects, or /api requests. Operators usually inspect route rules in source control and validate their effects through browser tests, CLI environment checks, and deployment logs. The concept belongs to application configuration, security boundary design, and release validation rather than Azure resource provisioning alone.

Why it matters

It matters because routing mistakes are some of the easiest Static Web Apps failures to ship and some of the hardest for users to describe. A missing allowedRoles entry can expose private content. An overly broad redirect can create loops. A rewrite can send API traffic to the wrong place. A single-page app can return 404s on direct refresh if fallback behavior and route rules are poorly planned. Route rules give teams precise control, but that control deserves code review and testing. Learners should understand that the visible link structure is not the enforcement layer; the route rule is what Azure evaluates.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In staticwebapp.config.json, where route entries define matching paths, allowed roles, redirects, rewrites, status codes, and related request behavior. during route validation, security review, and release testing.

Signal 02

In browser developer tools, where route-rule mistakes appear as 301, 302, 401, 403, 404, rewrite, or redirect-chain behavior. during route validation, security review, and release testing.

Signal 03

In pull-request reviews, where configuration changes to protected paths or legacy redirects should be tested before a Static Web Apps deployment. during route validation, security review, and release testing.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Protect dashboard, admin, or partner paths with required roles instead of relying on hidden links.
  • Redirect retired marketing or documentation URLs to new routes during a site migration.
  • Rewrite friendly front-end paths while keeping file structure or API paths stable.
  • Fix single-page app navigation so bookmarked deep links do not return unexpected 404 responses.
  • Return clear unauthorized or not-found behavior for users instead of confusing default responses.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Legal aid portal protects advisor-only pages

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A nonprofit legal aid portal published public self-help pages and advisor-only intake dashboards from the same Static Web Apps project.

Business/Technical Objectives
  • Keep public guidance pages anonymous.
  • Restrict advisor dashboards to assigned roles.
  • Stop relying on hidden navigation links as access control.
  • Verify access behavior before a grant-reporting deadline.
Solution Using Static Web Apps route rule

The engineering lead rewrote the route rules in staticwebapp.config.json so public routes remained open while /advisor and /intake paths required specific roles. The team tested each protected route anonymously, with a volunteer account, and with an advisor account. Azure CLI was used to list Static Web Apps users and confirm role assignments during validation, while browser tools verified 401 and 403 behavior. The configuration change was reviewed in a pull request and deployed first to a preview environment. After production release, the team documented the expected route outcomes for support staff.

Results & Business Impact
  • Unauthorized access attempts to advisor pages returned the correct response in 100 percent of test cases.
  • Public page availability stayed unchanged during the access-control release.
  • Security review time fell from three days to one afternoon because route behavior was documented.
  • A hidden-link workaround was removed from the front-end codebase.
Key Takeaway for Glossary Readers

Route rules are the enforceable boundary for Static Web Apps paths; the visible menu is not enough protection.

Case study 02

Media archive preserves legacy article links

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A public media archive moved thousands of old story URLs into a new Static Web Apps information architecture and needed old links to keep working.

Business/Technical Objectives
  • Redirect high-traffic legacy paths to the new article structure.
  • Avoid redirect loops that would hurt search and accessibility.
  • Keep unmatched archive paths returning clear not-found behavior.
  • Validate changes before the anniversary coverage launch.
Solution Using Static Web Apps route rule

The web team added route rules for the most important legacy path patterns and tested them against analytics data for the top 500 archived URLs. Redirect rules were kept narrow so asset paths and API routes were not captured accidentally. The team used browser developer tools to verify status codes and destination paths, while Azure CLI confirmed the correct preview environment and production hostname under test. A small set of response overrides helped users understand retired pages. The launch runbook included a rollback commit and a post-release synthetic check for the highest-volume legacy links.

Results & Business Impact
  • Successful legacy-link resolution improved from 64 percent to 97 percent across the top 500 URLs.
  • Redirect loops were reduced from 23 discovered cases to zero before launch.
  • Search-console 404 alerts fell by 58 percent over the next month.
  • Editors avoided emergency manual link fixes during the anniversary traffic spike.
Key Takeaway for Glossary Readers

Carefully scoped route rules let migrations preserve user trust without sending every old path through messy application code.

Case study 03

IoT dashboard fixes bookmarked-device refreshes

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

An IoT monitoring vendor shipped a dashboard where users could click device pages successfully, but bookmarked device URLs returned 404 after refresh.

Business/Technical Objectives
  • Support direct navigation to device-detail pages.
  • Avoid masking failed API routes with front-end fallback behavior.
  • Keep unauthorized device pages protected by role rules.
  • Reduce support tickets before a major firmware rollout.
Solution Using Static Web Apps route rule

The team reviewed Static Web Apps route rules and navigation behavior together. They added a focused rule set that supported single-page app device routes while excluding /api and static asset paths from fallback behavior. Protected dashboard areas kept allowed-role requirements, and device API calls were tested separately from browser route refreshes. Operators used CLI to confirm the preview and production environments, then captured response-code evidence for direct URL requests. The final pull request included test cases for bookmarks, unauthorized access, valid device pages, missing devices, and API failures.

Results & Business Impact
  • Bookmark-related 404 tickets dropped by 89 percent after the route-rule fix.
  • API failure visibility improved because fallback no longer hid broken /api responses.
  • Firmware rollout support staffing was reduced by two on-call engineers.
  • Direct navigation tests became a required release gate for future dashboard changes.
Key Takeaway for Glossary Readers

Route rules and fallback behavior must be tuned together so single-page apps work without hiding real API or authorization failures.

Why use Azure CLI for this?

After ten years of Azure engineering, I do not use Azure CLI to edit route rules directly because the rules belong in staticwebapp.config.json and source control. I still use CLI around them constantly. CLI confirms the Static Web App, environment, custom hostnames, users, and linked APIs that receive the deployed rule file. That evidence is crucial when a route works in one preview but fails in production. It also helps operators avoid blaming Azure hosting when the real issue is a repository configuration change. CLI gives the operational context; source control gives the route-rule content. Test this path before approval and record the expected route-rule behavior.

CLI use cases

  • Confirm which Static Web App and environment received the route-rule configuration currently under test.
  • List users and roles while troubleshooting route rules that depend on authentication.
  • List custom hostnames so route behavior is tested on the real user-facing domain.
  • Show linked backend information when a route rule affects /api requests.
  • Capture environment and hostname evidence for a route-rule incident or release validation record.

Before you run CLI

  • Review staticwebapp.config.json in source control before assuming a portal resource setting caused route behavior.
  • Confirm whether the failing path is in production, a named environment, or a pull-request preview.
  • Check the user role and authentication provider when testing protected route rules.
  • Use browser tools or curl alongside CLI because CLI gives context, not the route-rule file contents.
  • Avoid deleting environments or changing users while still diagnosing whether the route rule itself is wrong.

What output tells you

  • Environment output identifies the deployed target so route tests are not accidentally run against the wrong preview.
  • Users output helps explain why an authenticated tester may or may not satisfy an allowedRoles route rule.
  • Hostname output tells you whether custom-domain testing was included, which matters for user-facing route behavior.
  • Backend output helps connect /api route-rule symptoms to the linked API resource that handled the request.
  • Static Web App show output provides the resource identity and default hostname needed for release notes or incident records.

Mapped Azure CLI commands

Static Web Apps route-rule diagnostics

adjacent
az staticwebapp show --name <static-app-name> --resource-group <resource-group> --output json
az staticwebappdiscoverWeb
read-only Microsoft docs
az staticwebapp environment list --name <static-app-name> --resource-group <resource-group> --output table
az staticwebapp environmentdiscoverWeb
read-only Microsoft docs
az staticwebapp users list --name <static-app-name> --resource-group <resource-group> --authentication-provider all --output table
az staticwebapp usersdiscoverWeb
read-only Microsoft docs
az staticwebapp hostname list --name <static-app-name> --resource-group <resource-group> --output table
az staticwebapp hostnamediscoverWeb
read-only Microsoft docs
az staticwebapp backends show --name <static-app-name> --resource-group <resource-group> --output json
az staticwebapp backendsdiscoverWeb
read-only Microsoft docs

Architecture context

Architecturally, route rules are the request policy layer of a Static Web App. I review them the way I review ingress rules, reverse-proxy rules, or lightweight web server configuration. They define which paths are anonymous, which need roles, which legacy URLs are redirected, and how application routes are rewritten. Good architecture keeps rules explicit, narrow, and documented so future developers do not accidentally broaden access. For single-page apps, route rules and navigation fallback must be planned together. For APIs, rules should protect paths without hiding backend health. The cleaner the route table, the easier production incidents are to reason about.

Security

Security impact is direct because route rules can allow or deny access to pages and API paths. Do not rely on hidden links, front-end checks, or obscurity to protect sensitive content. Use role requirements where appropriate, test anonymous access directly, and verify that API routes are not accidentally left public. Review redirects and rewrites so they do not create open-redirect patterns or leak protected paths. Security reviewers should inspect route rules in pull requests and test them in preview environments. A rule that looks harmless can become a serious exposure if it matches broader paths than intended. Test this path before approval and record the expected route-rule behavior.

Cost

Cost impact is indirect but real. Route rules do not create a separate billing object, yet bad routing can increase support time, failed API calls, logging volume, and downstream traffic. Redirect loops can generate noisy requests. Missing cache or rewrite discipline can send more traffic to APIs than intended. Publicly exposed routes may invite unwanted scraping or automated probing. The most expensive cost is often human: release delays while teams discover that a small config change broke navigation or access. Cost control comes from review, narrow rules, synthetic checks, and avoiding route behavior that creates unnecessary backend load. Test this path before approval and record the expected route-rule behavior.

Reliability

Reliability impact is direct because route rules control whether requests reach the right content. A bad rule can break deep links, create redirect loops, return wrong status codes, or route users away from working pages. Changes should be tested with direct browser navigation, refreshes, old URLs, protected pages, and /api calls. Rollback is usually a source-control deployment, so the last known good configuration should be easy to identify. Reliable route-rule management favors small changes, preview validation, and clear expected results. Operators should treat route-rule failures as configuration incidents, not just front-end bugs. Test this path before approval and record the expected route-rule behavior.

Performance

Performance impact is indirect for static file delivery and direct for request paths affected by redirects, rewrites, and API routing. A clean rule can send users quickly to the right page. A messy chain can add extra round trips, delay first interaction, or route browser requests through slower paths. Single-page app fallback behavior also affects perceived performance when users open bookmarked pages. Operators should test response codes, redirect counts, cache headers, and API timings after rule changes. Route rules should make the request path simpler, not create hidden latency that appears as a front-end performance problem. Test this path before approval and record the expected route-rule behavior.

Operations

Operators handle route rules by reviewing the deployed staticwebapp.config.json, reproducing failing paths, comparing preview and production environments, and checking authentication state. They should capture the exact URL, response code, redirect chain, user role, environment, and build version. Practical operations include testing anonymous and authenticated requests, confirming API path behavior, and reviewing recent pull requests that touched configuration. Because route rules are source-controlled, the fix often requires a repository change and deployment, not a portal edit. Runbooks should point engineers to the config file and the validation checklist. Test this path before approval and record the expected route-rule behavior.

Common mistakes

  • Writing a broad wildcard rule that catches assets or API paths the team never intended to protect or redirect.
  • Testing navigation clicks but not direct browser refreshes, bookmarked links, or unauthenticated requests.
  • Assuming client-side route guards protect content when the Static Web Apps route rule remains public.
  • Changing redirects during migration without checking for loops, incorrect status codes, or lost query strings.
  • Forgetting that route-rule fixes require repository deployment, so portal-only troubleshooting cannot resolve the config problem.