Enforce encrypted App Service connections#
Security · App Service · Rule · 2020_06 · Important
Azure App Service apps should only accept encrypted connections.
Description#
Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.
Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.
Recommendation#
When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.
Examples#
Configure with Azure template#
To deploy App Services that pass this rule:
- Set the
properties.httpsOnly
property totrue
.
For example:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
Configure with Bicep#
To deploy App Services that pass this rule:
- Set the
properties.httpsOnly
property totrue
.
For example:
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
}
Configure with Azure Verified Modules
A pre-built module is avilable on the Azure Bicep public registry. To reference the module, please use the following syntax:
Links#
- SE:07 Encryption
- DP-3: Encrypt sensitive data in transit
- Enforce HTTPS
- Azure Policy built-in definitions for Azure App Service
- Azure deployment reference