Azure-AppService-HTTPS-Only-Enabled

Severity: High

Description: This control ensures that web app redirects all HTTP traffic to HTTPS in Azure App Service. Web Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted, and all HTTP requests redirected to the secure HTTPS port. When it is enabled, every incoming HTTP requests are redirected to the HTTPS port. It is recommended to enforce HTTPS-only traffic.

Remediation Steps:

Perform following to update App Service configuration:

1. Login to Azure Portal using https://portal.azure.com.

2. Go to App Services.

3. Click on affected Web App.

4. Under Setting section, click on TLS/SSL settings.

5. Set HTTPS Only set to ON under Protocol Settings.

Important:

Reference:

• CIS reference: Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #9.2

• https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https