App Service allows unencrypted traffic
March 21, 2025 ยท View on GitHub
SYNOPSIS
Unencrypted communication could allow disclosure of information to an untrusted party.
DESCRIPTION
Azure App Service apps are configured by default to accept encrypted and unencrypted connections. HTTP connections can be automatically redirected to use HTTPS when the HTTPS Only setting is enabled.
Unencrypted communication to App Service apps could allow disclosure of information to an untrusted party.
RECOMMENDATION
When access using unencrypted HTTP connection is not required consider enabling HTTPS Only. Also consider using Azure Policy to audit or enforce this configuration.
EXAMPLES
Configure with Azure template
To deploy App Services that pass this rule:
- Set the
properties.httpsOnlyproperty totrue.
For example:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
Configure with Bicep
To deploy App Services that pass this rule:
- Set the
properties.httpsOnlyproperty totrue.
For example:
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
}