Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Use the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.
Risk Level: High
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.CRY.21
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
WebApp should have config.http20Enabled=true
REMEDIATION
From Portal
- Sign on to Azure Management console and navigate to App services
- Click on the name of the App service web application you want to examine
- In the navigation panel,under Settings, select Configuration to access the configuration settings defined for the selected application.
- On the Configuration panel, select 'General settings' tab to access the application general settings
- In the Platform settings section, select '2.0' from the HTTP version dropdown list to enable HTTP/2 - the latest version of HTTP protocol,for the selected web application
- Click Save to apply the change
From TF
Set the 'http2_enabled' argument to 'true':
resource 'azurerm_app_service' 'example' {
..
site_config {
..
http2_enabled = true
..
}
..
}
Note: By default http2_enabled is set to false
From Command Line
Run
az webapp config set --resource-group RESOURCEGROUPNAME --name APPLICATIONSERVICENAME --http20-enabled true
References
- https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions
- https://docs.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app_slot#http2_enabled
Web Apps service
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.1.0
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure ITSG-33
- Azure NIST 800-53 Rev 5
- Azure Security Risk Management
- CloudGuard Azure All Rules Ruleset
- Microsoft Cloud Security Benchmark
Updated over 1 year ago