App Service web apps should have ‘HTTPS only’ enabled¶
Description¶
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.
Remediation Steps¶
Azure Portal¶
Navigate to App Services.
In the left navigation, select TLS/SSL settings.
In HTTPS Only, select On.
Azure CLI¶
To enable HTTPS only:
az webapp update --https-only true \
--name MyAppName \
--resource-group MyResourceGroup
Azure Resource Manager¶
Ensure that a Microsoft.Web/sites resource contains the following:
{
"properties": {
"httpsOnly": true
}
}
Example Configuration¶
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"properties": {
"httpsOnly": true
}
# other required fields here
}
Terraform¶
Ensure that an azurerm_app_service contains the following:
https_only
= true
Example Configuration¶
resource "azurerm_app_service" "example" {
https_only = true
# other required fields here
}