Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Risk Level: High
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.CRY.24
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

WebApp should have inner.httpsOnly=true

REMEDIATION

From Portal

  1. Sign on to Azure App services
  2. Click on the name of the App service web application you want to examine
  3. In the navigation panel,under Settings, select 'TLS/SSL settings'
  4. In the 'HTTPS Only' toggle select ON

From TF
Set the 'https_only' argument to 'true':

resource 'azurerm_app_service' 'example' {
	..
	https_only = true
	..
}

Note: By default https_only is set to false

From Command Line
Run

az webapp update --https-only true --name WEBAPPNAME --resource-group RESOURCEGROUPNAME

Note:If the setting status is Off, the selected Microsoft Azure App Service web application does not enforce HTTP to HTTPS redirection, thus its TLS/SSL configuration is not compliant.

References

  1. https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings
  2. https://docs.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only

Web Apps service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark