Skip to content

App Service allows unencrypted traffic#

Security · App Service · Rule · 2020_06 · Important

Unencrypted communication could allow disclosure of information to an untrusted party.

Description#

Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.

Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.

Recommendation#

When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.

Examples#

Configure with Azure template#

To deploy App Services that pass this rule:

  • Set the properties.httpsOnly property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "kind": "web",
  "properties": {
    "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
    "httpsOnly": true,
    "siteConfig": {
      "alwaysOn": true,
      "minTlsVersion": "1.2",
      "ftpsState": "Disabled",
      "remoteDebuggingEnabled": false,
      "http20Enabled": true,
      "netFrameworkVersion": "v8.0",
      "healthCheckPath": "/healthz",
      "metadata": [
        {
          "name": "CURRENT_STACK",
          "value": "dotnet"
        }
      ]
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
  ]
}

Configure with Bicep#

To deploy App Services that pass this rule:

  • Set the properties.httpsOnly property to true.

For example:

Azure Bicep snippet
resource web 'Microsoft.Web/sites@2023-01-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  kind: 'web'
  properties: {
    serverFarmId: plan.id
    httpsOnly: true
    siteConfig: {
      alwaysOn: true
      minTlsVersion: '1.2'
      ftpsState: 'Disabled'
      remoteDebuggingEnabled: false
      http20Enabled: true
      netFrameworkVersion: 'v8.0'
      healthCheckPath: '/healthz'
      metadata: [
        {
          name: 'CURRENT_STACK'
          value: 'dotnet'
        }
      ]
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/web/site:<version>

To use the latest version:

br/public:avm/res/web/site:0.9.0

Comments