Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Use the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.

Risk Level: High
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.CRY.21
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

WebApp should have config.http20Enabled=true

REMEDIATION

From Portal

  1. Sign on to Azure Management console and navigate to App services
  2. Click on the name of the App service web application you want to examine
  3. In the navigation panel,under Settings, select Configuration to access the configuration settings defined for the selected application.
  4. On the Configuration panel, select 'General settings' tab to access the application general settings
  5. In the Platform settings section, select '2.0' from the HTTP version dropdown list to enable HTTP/2 - the latest version of HTTP protocol,for the selected web application
  6. Click Save to apply the change

From TF
Set the 'http2_enabled' argument to 'true':

resource 'azurerm_app_service' 'example' {
	..
	site_config {
		..
		http2_enabled = true
		..
	}
	..
}

Note: By default http2_enabled is set to false

From Command Line
Run

az webapp config set --resource-group RESOURCEGROUPNAME --name APPLICATIONSERVICENAME  --http20-enabled true

References

  1. https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions
  2. https://docs.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app_slot#http2_enabled

Web Apps service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark