Azure_AppService_2

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service

Description

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Remediation

Perform the following in the Azure Console:

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to App Services
  3. Click on each App
  4. Under Setting section, Click on SSL settings
  5. Set HTTPS Only to On under Protocol Settings section

Perform the following in Azure Command Line Interface 2.0:

To set HTTPS-only traffic value for an existing app, run the following command.

az webapp update –resource-group <RESOURCE_GROUP_NAME> –name <APP_NAME> –set httpsOnly=false

References:

  1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https

Service

AppService

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!