Skip to content

Enforce encrypted App Service connections#

Security · App Service · Azure.AppService.UseHTTPS

Azure App Service apps should only accept encrypted connections.

Description#

Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.

Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.

Recommendation#

When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.

Examples#

Configure with Azure template#

To deploy App Services that pass this rule:

  • Set properties.httpsOnly to true.

For example:

{
    "type": "Microsoft.Web/sites",
    "apiVersion": "2021-02-01",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "kind": "web",
    "properties": {
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
        "httpsOnly": true,
        "siteConfig": {
            "alwaysOn": true,
            "minTlsVersion": "1.2",
            "ftpsState": "FtpsOnly",
            "remoteDebuggingEnabled": false,
            "http20Enabled": true
        }
    },
    "tags": "[parameters('tags')]",
    "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
    ]
}

Configure with Bicep#

To deploy App Services that pass this rule:

  • Set properties.httpsOnly to true.

For example:

resource webApp 'Microsoft.Web/sites@2021-02-01' = {
  name: name
  location: location
  kind: 'web'
  properties: {
    serverFarmId: appPlan.id
    httpsOnly: true
    siteConfig: {
      alwaysOn: true
      minTlsVersion: '1.2'
      ftpsState: 'FtpsOnly'
      remoteDebuggingEnabled: false
      http20Enabled: true
    }
  }
  tags: tags
}

Last update: 2022-01-19