Azure_AppService_12

Ensure that Function App should only be accessible over HTTPS

Description

Azure function Apps allows sites to run under both HTTP and HTTPS by default. Function apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Remediation

Perform the following in the Azure Console:

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Function App
  3. Click on each App
  4. Under Platform feqture section, Click on SSL settings
  5. Set HTTPS Only to On under Protocol Settings section

Perform the following in Azure Command Line Interface 2.0:

To set HTTPS-only traffic value for an existing app, run the following command.

az functionapp update –resource-group <RESOURCE_GROUP_NAME> –name <FUNCTIONAPP_NAME> –set httpsOnly=true

References:

  1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https

Service

AppService

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!