App Service web apps should have ‘HTTPS only’ enabled¶
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.
Navigate to App Services.
In the left navigation, select TLS/SSL settings.
In HTTPS Only, select On.
To enable HTTPS only:
az webapp update --https-only true \ --name MyAppName \ --resource-group MyResourceGroup