Ensure Azure App Service Web app redirects HTTP to HTTPS

Error: Azure App Service Web app does not redirect HTTP to HTTPS

Bridgecrew Policy ID: BC_AZR_NETWORKING_5
Checkov Check ID: CKV_AZURE_14
Severity: MEDIUM

Azure App Service Web app does not redirect HTTP to HTTPS

Description

Azure Web Apps by default allows sites to run under both HTTP and HTTPS, and can be accessed by anyone using non-secure HTTP links. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port.

We recommend you enforce HTTPS-only traffic to increase security. This will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to App Services.
  3. For each App, click App.
    a) Navigate to the Setting section.
    b) Click SSL settings.
    c) Navigate to the Protocol Settings section.
    d) Set HTTPS Only to On.

CLI Command

To set HTTPS-only traffic for an existing app, use the following command:

az webapp update 
--resource-group <RESOURCE_GROUP_NAME> 
--name <APP_NAME> 
--set httpsOnly=false

Fix - Buildtime

Terraform

Resource: azurerm_app_service
Argument: https_only

resource "azurerm_app_service" "example" {
    ...
+   https_only          = true
}