App Service web app FTP deployments should be disabled


App Service web app FTP deployment endpoints are public, which means that a malicious actor on an insecure network can obtain user credentials and gain control of the code base for the web app.

Azure Portal

  • Navigate to App Services.

  • Select an app.

  • In the left navigation under Settings, select Configuration.

  • Select General Settings and from the FTP state drop-down, select Disabled or FTPS Only.

  • Click Save.

Azure CLI

  • To disable FTP deployments for an App Service web app:

az webapp config set --name <app-name> --resource-group <group-name> --ftps-state Disabled