App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’

Description

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards.

Remediation Steps

Azure Portal

  • Navigate to App Services.

  • In the left navigation, select TLS/SSL settings.

  • In Minimum TLS Version, select 1.2.

Azure CLI

  • To enable TLS 1.2:

az webapp config set --resource-group MyResourceGroup \
                     --name MyResourceName \
                     --min-tls-version 1.2

Azure Resource Manager

For Microsoft.Web/sites:

{
  "properties": {
    "siteConfig": {
      "minTlsVersion": "1.2"
    }
  }
}

For Microsoft.Web/sites/config:

{
  "properties": {
    "minTlsVersion": "1.2"
  }
}

Example Configuration

For Microsoft.Web/sites:

{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2021-02-01",
  "properties": {
    "siteConfig": {
      "minTlsVersion": "1.2"
    }
  }
  # other required fields here
}

For Microsoft.Web/sites/config:

{
  "type": "Microsoft.Web/sites/config",
  "apiVersion": "2021-02-01",
  "name": "web",
  "properties": {
    "minTlsVersion": "1.2"
  }
  # other required fields here
}

Terraform

  • Ensure that the azurerm_app_service min_tls_version field is set to 1.2 within the site_config block.

Example Configuration

resource "azurerm_app_service" "example" {
  site_config {
    min_tls_version = "1.2"
  }
  # other required fields here
}