Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check that Azure App is using the latest version of HTTP

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: AppService-005

Ensure that your Microsoft Azure App Service web applications are using the latest version of the HTTP protocol (i.e., HTTP/2) in order to make your web applications load faster. HTTP 2.0 represents a major upgrade of the HTTP/1.1 protocol, that has the primary goal of reducing the impact of latency and connection load on web servers by implementing full request and response multiplexing, minimizing protocol overhead via compression of HTTP header fields, and by adding support for HTTP request prioritization and server push.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Performance
efficiency

Once enabled, HTTP/2 will make your Azure App Service web applications faster, simpler, and more robust, as this optimized version of the HTTP protocol no longer supports HTTP 1.1's chunked transfer encoding mechanism, and provides its own, more efficient mechanism for data streaming. The main benefits of HTTP/2: it is fully multiplexed (instead of ordered and blocking like HTTP 1.1), uses only one TCP/IP connection and has the ability to use this connection for parallelism, uses header compression to reduce overhead, and it's binary.

Note: Most modern web browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that all your application clients are connecting to your web apps using HTTP/2, you can buy an Azure App Service certificate for your application's custom domain or bind a third-party certificate.

Audit

To determine if your Azure App Service applications are using the latest version of the HTTP protocol, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select App Service, and choose Apply to list only the App Service web applications available in the selected Azure subscription.

05 Click on the name (link) of the web application that you want to examine, listed in the Name column.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected web application.

07 Select the General settings tab and check the HTTP version dropdown list available under Platform settings to determine the version of the HTTP protocol configured for your web application. If HTTP version is set to 1.1, the selected Microsoft Azure App Service web application is not configured to use the latest version of the HTTP protocol (i.e., HTTP/2).

08 Repeat steps no. 5 – 7 for each Azure App Service web application available within the selected subscription.

09 Repeat steps no. 3 – 8 for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run webapp list command (Windows/macOS/Linux) with custom output filters to list the IDs of all App Service web applications available in the selected Azure subscription: 

az webapp list
	--query '[*].id'

05 The command output should return the requested web application IDs: 

[
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app",
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project-web-app"
]

06 Run webapp config show command (Windows/macOS/Linux) with the ID of the web application that you want to examine as the identifier parameter and custom output filters to determine if the selected application is configured to use the latest version of the HTTP protocol (i.e., HTTP/2): 

az webapp config show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--query 'http20Enabled'

07 The command output should return true if the selected web application is using HTTP/2 and false otherwise: 

false

If the webapp config show command output returns false, as shown in the example above, HTTP/2 is not enabled. Therefore, the selected Microsoft Azure App Service web application is not configured to use the latest version of the HTTP protocol.

08 Repeat steps no. 6 and 7 for each Azure App Service web application available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the HTTP/2 protocol for your Microsoft Azure App Service web applications, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select App Service, and choose Apply to list only the App Service web applications available in the selected Azure subscription.

05 Click on the name (link) of the web application that you want to configure, listed in the Name column.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected web application.

07 In the Platform settings section, select 2.0 from the HTTP version dropdown list to enable HTTP/2 – the latest version of HTTP protocol, for the selected web application. Choose Save to apply the changes. Your web application may restart if you are updating application settings. Select Continue for confirmation.

08 Repeat steps no. 5 – 7 for each Azure App Service web application that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run webapp config set command (Windows/macOS/Linux) with the ID of the Azure App Service web application that you want to configure as the identifier parameter, to enable HTTP/2 – the latest version of HTTP protocol, for the selected web application: 

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--http20-enabled true

05 If the operation is successful, the command output should return the information available for the configured web application: 

{
	"acrUseManagedIdentityCreds": false,
	"acrUserManagedIdentityId": null,
	"alwaysOn": false,
	"apiDefinition": null,
	"apiManagementConfig": null,
	"appCommandLine": "",
	"appSettings": null,
	"autoHealEnabled": false,
	"autoHealRules": null,

	...

	"autoSwapSlotName": null,
	"azureStorageAccounts": {},
	"connectionStrings": null,
	"cors": null,
	"vnetPrivatePortsCount": 0,
	"vnetRouteAllEnabled": false,
	"webSocketsEnabled": false,
	"websiteTimeZone": null,
	"windowsFxVersion": null,
	"xManagedServiceIdentityId": null
}

06 Repeat steps no. 4 and 5 for each Azure App Service web application that you want to configure, available in the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019

Related AppService rules