Azure App Service Web App Doesn't Redirect HTTP To HTTPS

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure App Service Web app doesn't redirect HTTP to HTTPS.
JSON Query:
$.resource[*].azurerm_app_service.*.*.* size > 0 and ($.resource[*].azurerm_app_service[*].*.*.https_only anyNull or $.resource[*].azurerm_app_service[*].*.*.https_only anyFalse)
Recommendation:
Recommended solution for redirecting HTTP to HTTPS.
It is recommended that Azure App Service Web app redirects HTTP to HTTPS. Please make sure your template has "https_only" and it is set to true.
For example:
"azurerm_app_service": [ { "<app_service_name>": [ { "location": "${azurerm_resource_group.example.location}", "name": "example-app-service", "resource_group_name": "${azurerm_resource_group.example.name}", "https_only": true } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Navigate to App Services.
  3. Click on the reported App.
  4. Under Setting section, Click on 'TLS/SSL settings'.
  5. In 'Protocol Settings', Set 'HTTPS Only' to 'On'.
Remediation CLI Command:
az webapp update --resource-group ${resourceGroup} --name ${resourceName} --set httpsOnly=true
CLI Command Description:
This CLI command requires 'Microsoft.Web/sites/{app_name}/config/*' permission. Successful execution set on HTTPS-only feature, by which non-secure HTTP requests can be restricted and all HTTP requests will be redirected to the secure HTTPS port.

Compliance

There are 3 standards that are applicable to this policy:
  • PIPEDA
  • CIS v1.1 (Azure)
  • CCPA 2018

Recommended For You