App Service web apps should have ‘Incoming client certificates’ enabled

Description

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

Remediation Steps

Azure Portal

  • Navigate to App Services.

  • Select your App Service.

  • In the left navigation, select Configuration.

  • Select General settings.

  • In Client certificate mode, select Require and click Save.

Azure CLI

  • To enable incoming client certificates:

az webapp update --set clientCertEnabled=true --name <app_name> --resource-group <group_name>

Azure Resource Manager

{
  "properties": {
    "clientCertEnabled": true
  }
}

Example Configuration

{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2021-02-01",
  "properties": {
    "clientCertEnabled": true
  }
  # other required fields here
}

Terraform

Example Configuration

resource "azurerm_app_service" "example" {
  client_cert_enabled = true

  # other required fields here
}