Azure_AppService_11

Ensure that Web App should only be accessible over HTTPS

Description

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Remediation

Perform the following in the Azure Console:

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to App Services
  3. Click on each App
  4. Under Setting section, Click on SSL settings
  5. Set HTTPS Only to On under Protocol Settings section

Perform the following in Azure Command Line Interface 2.0:

To set HTTPS-only traffic value for an existing app, run the following command.

az webapp update –resource-group <RESOURCE_GROUP_NAME> –name <APP_NAME> –set httpsOnly=false

References:

  1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https

Service

AppService

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!