Enforce encrypted App Service connections#
Security · App Service · Rule · 2020_06
Azure App Service apps should only accept encrypted connections.
Description#
Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.
Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.
Recommendation#
When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.
Examples#
Configure with Azure template#
To deploy App Services that pass this rule:
- Set
properties.httpsOnly
totrue
.
For example:
Azure Template snippet
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
Configure with Bicep#
To deploy App Services that pass this rule:
- Set
properties.httpsOnly
totrue
.
For example:
Azure Bicep snippet
resource webApp 'Microsoft.Web/sites@2021-02-01' = {
name: name
location: location
kind: 'web'
properties: {
serverFarmId: appPlan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
remoteDebuggingEnabled: false
http20Enabled: true
}
}
tags: tags
}
Links#
- Data encryption in Azure
- Enforce HTTPS
- Azure Policy built-in definitions for Azure App Service
- Azure deployment reference
Last update:
2022-12-03