Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable HTTPS-Only Traffic

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AppService-006

Ensure that your Azure App Service web applications redirect all non-secure HTTP traffic to HTTPS in order to encrypt the communication between applications and web clients. HTTPS uses the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol to provide a secure connection, which is both encrypted and authenticated. This adds an extra layer of security to the HTTP requests made to the web application.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enforcing HTTPS-only traffic for your Azure App Service applications, can guarantee that the encrypted traffic between the web application servers and the application clients cannot be decrypted by malicious users in case they are able to intercept packets sent across the Internet.


Audit

To determine if your Azure App Service web apps are configured to implement HTTPS-only traffic, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine.

04 In the navigation panel, under Settings, select TLS/SSL settings to access the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) configuration settings available for the selected app.

05 On the TLS/SSL settings panel, under Protocol Settings, check the HTTPS Only configuration setting. If the setting status is Off, the selected Microsoft Azure App Service web application does not enforce HTTP to HTTPS redirection, thus its TLS/SSL configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Azure App Service application available within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested web application IDs:

[
  {
    "accountEnabled": true,
    "createdDateTime": "2019-05-01T10:47:42Z",
    "creationType": "Invitation",
    "employeeId": null,
    "jobTitle": null,
    "lastDirSyncTime": null,
    "legalAgeGroupClassification": null,
    "mail": "adproject@cloudconformity.com",
    "mobile": null,
    "objectId": "abcdabcd-1234-1234-1234-abcd1234abcd",
    "objectType": "User",
    "odata.type": "Microsoft.DirectoryServices.User",
    "o[
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp",
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-internal-webapp"
]

03 Run webapp show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the HTTPS-only feature status available for the selected web application:

az webapp show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
	--query 'httpsOnly'

04 The command output should return the HTTPS-only feature configuration status (true for enabled, false for disabled):

false

If the webapp show command output returns false, as shown in the example above, the selected Microsoft Azure App Service web application does not enforce HTTP to HTTPS redirection, therefore the app TLS/SSL configuration is not compliant.

05 Repeat step no. 3 and 4 for each Azure App Service application deployed in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enforce HTTPS-only traffic for your Microsoft Azure App Service web applications in order to redirect all HTTP traffic to HTTPS (Secure HTTP), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right app).

04 In the navigation panel, under Settings, select TLS/SSL settings to access the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) configuration settings available for the selected application.

05 On the TLS/SSL settings panel, under Protocol Settings, select On next to HTTPS Only to enable the HTTPS-only feature. Once the feature becomes active, the Azure Management Console should display the following confirmation message: "HTTPS Only was successfully set to On".

06 Repeat steps no. 3 – 5 for each Azure App Service web application that you want to reconfigure to enforce HTTPS-only traffic, available in the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp update command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service web application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right app) to enable the HTTPS-only feature for the selected web application. Once the feature is enabled, all incoming HTTP requests are redirected to the designated HTTPS port:

az webapp update
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
	--https-only true

02 The command output should return the metadata for reconfigured Microsoft Azure App Service application:

{
  "availabilityState": "Normal",
  "clientAffinityEnabled": false,
  "clientCertEnabled": false,
  "clientCertExclusionPaths": null,
  "cloningInfo": null,
  "containerSize": 0,
  "dailyMemoryTimeQuota": 0,
  "defaultHostName": "cc-node10-webapp.azurewebsites.net",
  "enabled": true,
  "httpsOnly": true,
  "hyperV": false,
  "id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp",
  "identity": null,
  "inProgressOperationId": null,
  "isDefaultContainer": null,
  "isXenon": false,
  "kind": "app,linux",
  "lastModifiedTimeUtc": "2019-09-22T11:20:32.903333",
 
  ...
 
  "location": "West Europe",
  "maxNumberOfWorkers": null,
  "name": "cc-node10-webapp",
  "redundancyMode": "None",
  "repositorySiteName": "cc-node10-webapp",
  "reserved": true,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scmSiteAlsoStopped": false,
  "serverFarmId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/serverfarms/ASP-cloudshellstoragewesteurope-abcd",
  "siteConfig": null,
  "slotSwapStatus": null,
  "state": "Running",
  "suspendedTill": null,
  "targetSwapSlot": null,
  "trafficManagerHostNames": null,
  "type": "Microsoft.Web/sites",
  "usageState": "Normal"
}

03 Repeat step no. 1 and 2 for each Azure App Service web application that you want to reconfigure in order to enable HTTPS-only traffic, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019