Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check that Azure App is using the latest version of HTTP

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: AppService-005

Ensure that your Microsoft Azure App Service web applications are using the latest version of the HTTP protocol (i.e. HTTP/2) in order to make your web applications load faster. HTTP 2.0 represents a major upgrade of the HTTP/1.1 protocol, that has the primary goal of reducing the impact of latency and connection load on web servers by implementing full request and response multiplexing, minimizing protocol overhead via compression of HTTP header fields, and by adding support for HTTP request prioritization and server push.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Performance
efficiency

Once enabled, HTTP/2 will make your Azure App Service web applications faster, simpler, and more robust, as this optimized version of the HTTP protocol no longer supports HTTP 1.1's chunked transfer encoding mechanism, and provides its own, more efficient mechanism for data streaming. The main benefits of HTTP/2: it is fully multiplexed (instead of ordered and blocking like HTTP 1.1), uses only one TCP/IP connection and has the ability to use this connection for parallelism, uses header compression to reduce overhead, and it's binary.

Note: Most modern web browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that all your application clients are connecting to your web apps using HTTP/2, you can buy an Azure App Service certificate for your application's custom domain or bind a third-party certificate.

Audit

To determine if your Azure App Service applications are using the latest version of the HTTP protocol, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Portal.

02 Navigate to App Services blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine, listed in the Name column.

04 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected web application.

05 Select the General settings tab and check the HTTP version setting available under Platform settings to determine the version of the HTTP protocol configured for your web application. If HTTP version is set to 1.1, the selected Microsoft Azure App Service web application is not configured to use the latest version of the HTTP protocol (i.e. HTTP/2).

06 Repeat steps no. 3 – 5 for each Azure App Service web application created within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) with custom query filters to list the IDs of all App Service web applications available in your current Azure subscription: 

az webapp list
  --query '[*].id'

02 The command output should return the requested Azure App Service application IDs: 

[
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app",
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project-web-app"
]

03 Run webapp config show command (Windows/macOS/Linux) using the ID of the application that you want to examine as the identifier parameter and custom query filters to determine if the selected Azure App Service web application is configured to use the latest version of the HTTP protocol (i.e. HTTP/2): 

az webapp config show
  --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
  --query 'http20Enabled'

04 The command output should return true if the selected web application is using HTTP/2 and false otherwise: 

false

If the webapp config show command output returns false, as shown in the example above, HTTP/2 is not enabled, therefore the selected Microsoft Azure App Service web application is not configured to use the latest version of the HTTP protocol.

05 Repeat steps no. 3 and 4 for each Azure App Service web application available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the HTTP/2 protocol for your Microsoft Azure App Service web applications, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Portal.

02 Navigate to App Services blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine, listed in the Name column.

04 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected web application.

05 In the Platform settings section, select 2.0 from the HTTP version dropdown list to enable HTTP/2 – the latest version of HTTP protocol, for the selected web application. Choose Save to apply the changes. Select Continue for confirmation.

06 Repeat steps no. 3 – 5 for each Azure App Service web application that you want to configure, deployed in the current Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp config set command (Windows/macOS/Linux) using the ID of the Azure App Service web application that you want to configure as the identifier parameter to enable HTTP/2 – the latest version of HTTP protocol, for the selected web application: 

az webapp config set
  --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
  --http20-enabled true

02 If the operation is successful, the command output should return the information available for the configured Azure App Service web application: 

{
	"availabilityState": "Normal",
	"clientAffinityEnabled": false,
	"clientCertEnabled": false,
	"clientCertExclusionPaths": null,
	"clientCertMode": "Required",
	"cloningInfo": null,
	"dailyMemoryTimeQuota": 0,
	"daprConfig": null,
	"defaultHostName": "cc-ecommerce-app.azurewebsites.net",
	"enabled": true,

	...
	
	"slotSwapStatus": null,
	"state": "Running",
	"storageAccountRequired": false,
	"trafficManagerHostNames": null,
	"type": "Microsoft.Web/sites",
	"usageState": "Normal",
	"virtualNetworkSubnetId": null,
	"vnetContentShareEnabled": false,
	"vnetImagePullEnabled": false,
	"vnetRouteAllEnabled": false,
	"workloadProfileName": null
}

03 Repeat steps no. 1 and 2 for each Azure App Service web application that you want to configure, available in the current Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019

Related AppService rules