Azure-CDNProfiles-Detect-Insecure-Custom-Origin

Severity : High

Description: This control ensures that CDN custom endpoints have secure HTTPS protocol enable and unsecured HTTP protocol disable for traffic to custom domain. The HTTPS protocol on custom domain ensures that sensitive data is delivered securely via TLS/SSL. This process provides security and protects web applications from attacks.

Remediation Steps:

Perform following to configure retention period for recovery point :

1. Login to Azure Portal using https://portal.azure.com.

2. Navigate to All services.

3. In All services, Search for CDN Profile and select the CDN profile for the endpoint.

4. Select the endpoint containing the custom domain.

5. In the list of custom domain in the endpoint, Select the custom domain to enable HTTPS.

6. Under Certificate management type, If using own certificate through Azure Vault, select Use my own certificate. Otherwise CDN managed certificate select CDN managed.

7. Under Custom domain HTTPS, Selet On.

8. Select the Minimum TLS version to TLS 1.2.

9. Select Save.

10. When using the CDN managed certificate, domain validation is required. If the custom domain endpoint is mapped to CNAME, the domain name verification automatically happens. In case the endpoint is not mapped to CNAME, a verification email is sent to domain administrator for verification.

11. Wait for propagation. Once the propagation completes, the HTTPS custom domain status changed to Enable.

Important:

• When using the own certificate, use Azure Vault in same subscription to upload the certificate and setup the access to the certificate.

• With own certificate, CNAME validation is not required.

• It may take 4-6 hours for HTTPS status propagation to complete.

Reference:

• https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate

• https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate