📝 Azure App Service HTTPS Only configuration is not enabled 🟢

• Contextual name: 📝 HTTPS Only configuration is not enabled 🟢
• ID: /ce/ca/azure/app-service/https-only-configuration
• Located in: 📁 Azure App Service

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Enable HTTPS-Only Traffic
• Internal
  • dec-x-75db76ad

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-75db76ad	1

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 Azure App Service
  • 🔌 Azure App Service - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Rationale

Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.

Impact

When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app.

Audit

From Azure Portal

1. Login to Azure Portal using https://portal.azure.com.
2. Go to App Services.
3. Click on each App.
4. Under Setting section, click on Configuration.
5. Under the General Settings tab, ensure that HTTPS Only is set to On under Platform Settings.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Login to Azure Portal using https://portal.azure.com.
2. Go to App Services.
3. For each App Service.
4. Under Setting section, click on Configuration.
5. Under the General Settings tab, set HTTPS Only to On under Platform Settings.

From Azure CLI

To set HTTPS-only traffic value for an existing app, run the following command:

az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --set httpsOnly=true

From PowerShell

Set-AzWebApp -ResourceGroupName <RESOURCE_GROUP_NAME> -Name <APP_NAME> -HttpsOnly $true

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22
💼 CIS Azure v1.1.0 → 💼 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service		1	1
💼 CIS Azure v1.3.0 → 💼 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)		1	1
💼 CIS Azure v1.4.0 → 💼 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)		1	1
💼 CIS Azure v1.5.0 → 💼 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)		1	1
💼 CIS Azure v2.0.0 → 💼 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)		1	1
💼 CIS Azure v2.1.0 → 💼 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)		1	1
💼 CIS Azure v3.0.0 → 💼 9.1 Ensure 'HTTPS Only' is set to 'On' (Automated)			1
💼 Cloudaware Framework → 💼 Data Encryption			42
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	64
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	36	75
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		25	26
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			17
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	45
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	17
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	16
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	24
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	13
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			30
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		17
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		60
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			17
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		39
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		17
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			13
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19
💼 ISO/IEC 27001:2013 → 💼 A.14.1.2 Securing application services on public networks		5	5
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	14
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer		8	10
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	14
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped		4	7
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	22
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	31
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	26
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	22
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			134
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			45
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			22
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			114
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			94
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			108
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			66
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	17
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	15
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.		3	8
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	21
💼 PCI DSS v3.2.1 → 💼 4.2 Never send unprotected PANs by enduser messaging technologies.			4
💼 PCI DSS v3.2.1 → 💼 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.			14
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.			8
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		21
💼 PCI DSS v4.0.1 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.			4
💼 PCI DSS v4.0.1 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.			14
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		4	8
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	21
💼 PCI DSS v4.0 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.		3	4
💼 PCI DSS v4.0 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.		6	14
💼 SOC 2 → 💼 CC6.6-1 Restricts Access		16	19