Azure App Service Web app doesn't redirect HTTP to HTTPS
Description
Azure Web Apps by default allows sites to run under both HTTP and HTTPS, and can be accessed by anyone using non-secure HTTP links. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. We recommend you enforce HTTPS-only traffic to increase security. This will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.
Code Example
resource "azurerm_app_service" "example" {
...
+ https_only = true
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * App Services*.
. For each App, click App. + a) Navigate to the * Setting* section. + b) Click * SSL settings*. + c) Navigate to the * Protocol Settings* section. + d) Set * HTTPS Only* to * On*.
- CLI Command*
To set HTTPS-only traffic for an existing app, use the following command:
az webapp update --resource-group & lt;RESOURCE_GROUP_NAME> --name & lt;APP_NAME> --set httpsOnly=false
=== Fix - Buildtime
Terraform
Resource: azurerm_app_service Argument: https_only
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0525 |
| Severity | MEDIUM |
| IaC Type | arm |
| Frameworks | ARM, |
| Checkov ID | CKV_AZURE_14 |