web.config, backend: Java, hosting: Azure

Napisałem pierwszego web.configa i mam problem. Jak odpalam backend na postmanie, to nie widzę kompletnie zmian w ustawieniach custom headers. (Na Azure wgrałem ten sam plik web.config - do /wwwroot). X-Frame-Options jak było DENY, tak nadal jest DENY... Inne też bez zmian. Czy ktoś może zasugerować przyczynę? Dzięki! Już trochę nad tym siedzę i bez efektu..

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <!-- START x-xss protection -->
    <httpProtocol>
        <customHeaders>
            <add name="Content-Security-Policy"
                 value="default-src 'self';
                     font-src 'self' https://fonts.gstatic.com/s/materialicons/ https://fonts.gstatic.com/ https://fonts.googleapis.com/;
                     style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/;
                     connect-src 'self' https://maps.googleapis.com/ https://fonts.gstatic.com/s/materialicons/;
                     script-src 'self' https://maps.googleapis.com/maps/api/ https://maps.google.com/ *.googleapis.com *.ggpht.com https://cdnjs.cloudflare.com/ajax/libs/html2canvas/0.4.1/html2canvas.js;
                     img-src 'self' https://maps.gstatic.com/ https://maps.google.com/ *.googleapis.com *.ggpht.com data:;" />
            <remove name="X-Powered-By" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <add name="X-Frame-Options" value="SAMEORIGIN" />
        </customHeaders>
    </httpProtocol>
    <!-- END x-xss protection -->
    <handlers>
        <add name="httpPlatformHandler" path="*" verb="*" modules="httpPlatformHandler" resourceType="Unspecified" />
    </handlers>
    <httpPlatform processPath="%JAVA_HOME%\bin\java.exe"
        arguments="-Djava.net.preferIPv4Stack=true -Dserver.port=%HTTP_PLATFORM_PORT% -jar &quot;%HOME%\site\wwwroot\AFSIBackend-@[email protected]&quot;">
    </httpPlatform>
    <rewrite>
      <rules>
        <rule name="Force HTTPS" enabled="true">
            <match url="(.*)" ignoreCase="false" />
            <conditions>
                <add input="{HTTPS}" pattern="off" ignoreCase="true" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
        </rule>
      </rules>
      <outboundRules>
        <clear />
        <rule name="Add SameSite" preCondition="No SameSite">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
            <action type="Rewrite" value="{R:0}; SameSite=lax" />
        </rule>
        <preConditions>
            <preCondition name="No SameSite">
                <add input="{RESPONSE_Set_Cookie}" pattern="." />
                <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=lax" negate="true" />
            </preCondition>
        </preConditions>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
            <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
            <conditions>
                <add input="{HTTPS}" pattern="on" ignoreCase="true" />
            </conditions>
            <action type="Rewrite" value="max-age=31536000" />
        </rule>
      </outboundRules>
    </rewrite>
  </system.webServer>
</configuration>

W build.gradle mam takiego taska:

task copyBuildFiles(type: Copy) {
    from('src/main/templates') {
        include 'web.config'
    }
    into "$buildDir/libs"
    filter(ReplaceTokens, tokens: [VERSION: project.version])
    inputs.property("VERSION", project.version)

    from("$rootDir") {
        include 'logback-spring.xml'
    }
    into "$buildDir/libs"
}