App Service web apps should have ‘HTTPS only’ enabled

Description

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Remediation Steps

Azure Portal

  • Navigate to App Services.

  • In the left navigation, select TLS/SSL settings.

  • In HTTPS Only, select On.

Azure CLI

  • To enable HTTPS only:

az webapp update --https-only true \
                 --name MyAppName \
                 --resource-group MyResourceGroup

Azure Resource Manager

{
  "properties": {
    "httpsOnly": true
  }
}

Example Configuration

{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2021-02-01",
  "properties": {
    "httpsOnly": true
  }
  # other required fields here
}

Terraform

Example Configuration

resource "azurerm_app_service" "example" {
  https_only = true

  # other required fields here
}