App Service minimum TLS version#
Security · App Service · 2020_06
App Service should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that Azure App Service accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
App Service lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.
Examples#
Configure with Azure template#
To deploy App Services that pass this rule:
- Set
properties.siteConfig.minTlsVersion
to1.2
.
For example:
Azure Template snippet
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
Configure with Bicep#
To deploy App Services that pass this rule:
- Set
properties.siteConfig.minTlsVersion
to1.2
.
For example:
Azure Bicep snippet
resource webApp 'Microsoft.Web/sites@2021-02-01' = {
name: name
location: location
kind: 'web'
properties: {
serverFarmId: appPlan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
remoteDebuggingEnabled: false
http20Enabled: true
}
}
tags: tags
}
Links#
- Data encryption in Azure
- Enforce TLS versions
- Preparing for TLS 1.2 in Microsoft Azure
- Insecure protocols
- Azure Policy built-in definitions for Azure App Service
- Azure deployment reference
Last update:
2022-10-17