Skip to content

Enforce encrypted App Service connections#

Security · App Service · Azure.AppService.UseHTTPS

Azure App Service apps should only accept encrypted connections.

Description#

Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.

Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.

Recommendation#

When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.


Last update: 2021-09-24