Ensure Web App has incoming client certificates enabled

Error: Azure App Service Web app client certificate is disabled

Bridgecrew Policy ID: BC_AZR_NETWORKING_7
Checkov Check ID: CKV_AZURE_17
Severity: MEDIUM

Azure App Service Web app client certificate is disabled

Description

Client certificates allow the Web App to require a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to App Services.
  3. For each Web App, click App.
    a) Navigate to Setting section.
    b) Click SSL Settings.
    c) Navigate to Protocol Settings section.
    d) Set Incoming client certificates to On.

CLI Command

To set Incoming client certificates value for an existing app, use the following command:

az webapp update 
--resource-group <RESOURCE_GROUP_NAME> 
--name <APP_NAME>
--set clientCertEnabled=true

Fix - Buildtime

Terraform

  • Resource: azurerm_app_service
  • Argument: client_cert_enabled
resource "azurerm_app_service" "example" {
    ...
+   client_cert_enabled          = true
}