Ensure Web App is using the latest version of TLS encryption
App Service currently allows Web App to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for Web App secure connections.
Risk Level: High
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.CRY.19
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
WebApp should have config.minTlsVersions.value='1.2'
REMEDIATION
From Portal
- Go to 'App Services' and choose your App Service.
- Select 'TLS/SSL settings' under 'Settings' on the navigation menu.
- Under 'Bindings' set 'Minimum TLS Version' to '1.2'.
From TF
Set the 'min_tls_version' argument to '1.2':
resource "azurerm_app_service" "web_app" {
..
site_config {
..
min_tls_version = "1.2"
..
}
..
}
From Command Line
Run
az webapp config set --resource-group RESOURCE GROUP --name WEB APP NAME --min-tls-version 1.2
References
- https://docs.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version
Web Apps service
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.1.0
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure HITRUST v9.5.0
- Azure ITSG-33
- Azure NIST 800-53 Rev 5
- Azure Security Risk Management
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago