Ensure Web App has incoming client certificates enabled
Error: Azure App Service Web app client certificate is disabled
Bridgecrew Policy ID: BC_AZR_NETWORKING_7
Checkov Check ID: CKV_AZURE_17
Severity: MEDIUM
Azure App Service Web app client certificate is disabled
Description
Client certificates allow the Web App to require a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.
The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.
Fix - Runtime
Azure Portal
To change the policy using the Azure Portal, follow these steps:
- Log in to the Azure Portal at https://portal.azure.com.
- Navigate to App Services.
- For each Web App, click App.
a) Navigate to Setting section.
b) Click SSL Settings.
c) Navigate to Protocol Settings section.
d) Set Incoming client certificates to On.
CLI Command
To set Incoming client certificates value for an existing app, use the following command:
az webapp update
--resource-group <RESOURCE_GROUP_NAME>
--name <APP_NAME>
--set clientCertEnabled=true
Fix - Buildtime
Terraform
- Resource: azurerm_app_service
- Argument: client_cert_enabled
resource "azurerm_app_service" "example" {
...
+ client_cert_enabled = true
}
Updated 10 months ago