App Service web apps should have ‘HTTPS only’ enabled


Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Portal Remediation Steps

  • Navigate to App Services.

  • In the left navigation, select TLS/SSL settings.

  • In HTTPS Only, select On.

CLI Remediation Steps

  • To enable HTTPS only:

az webapp update --https-only true \
                 --name MyAppName \
                 --resource-group MyResourceGroup