Web App does not use the latest version of TLS encryption

Description

The Transport Layer Security (TLS) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, for example, PCI DSS.

App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. For secure web app connections it is highly recommended to only use the latest TLS 1.2 version.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

1. Log in to the Azure Portal at https://portal.azure.com.
2. Navigate to App Services.
3. For each Web App, click App.
   a) Navigate to Setting section.
   b) Click SSL Settings.
   c) Navigate to Protocol Settings section.
   d) Set Minimum TLS Version to 1.2.

CLI Command

To set TLS Version for an existing app, use the following command:

az webapp config set 
--resource-group <RESOURCE_GROUP_NAME> 
--name <APP_NAME>
--min-tls-version 1.2

Fix - Buildtime

Terraform

• Resource: azurerm_app_service
• Argument: min_tls_version

resource "azurerm_app_service" "example" {
    ...
-   min_tls_version = <version>
    }
}