Skip to main content

πŸ›‘οΈ Azure App Service HTTPS Only configuration is not enabled🟒

  • Contextual name: πŸ›‘οΈ HTTPS Only configuration is not enabled🟒
  • ID: /ce/ca/azure/app-service/https-only-configuration
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-75db76ad1

Description​

Open File

Description​

Azure Web Apps allow sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links. Non-secure HTTP requests can be restricted and redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Rationale​

Enabling HTTPS-only traffic redirects all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection that is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.

Impact​

When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.

Audit​

From Azure Portal​
  1. Log in to the Azure portal using https://portal.azure.com.
  2. Go to App Services.
  3. Select each app.
  4. Under Settings, select Configuration.
  5. Under the General Settings tab, ensure that HTTPS Only is set to On under Platform Settings.
From Azure CLI​

To check HTTPS-only traffic value for an existing app, run the following command:

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Log in to the Azure portal using https://portal.azure.com.
  2. Go to App Services.
  3. For each App Service, do the following:
  4. Under Settings, select Configuration.
  5. Under the General Settings tab, set HTTPS Only to On under Platform Settings.

From Azure CLI​

To set HTTPS-only traffic value for an existing app, run the following command:

az webapp update \
    --resource-group {{resource-group-name}} \
    --name {{app-name}} \
    --set httpsOnly=true

From PowerShell​

Set-AzWebApp `
    -ResourceGroupName {{resource-group-name}} `
    -Name {{app-name}} `
    -HttpsOnly $true

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122no data
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 9.1 Ensure 'HTTPS Only' is set to 'On' (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption70no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3784no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)237105no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2627no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10884no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1825no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)824no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1643no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)721no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)49no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)125no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)189no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)768no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)125no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)21no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.2 Securing application services on public networks55no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.3 Protecting application services transactions1015no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.14 Information transfer810no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1034no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-3: Organizational communication and data flows are mapped48no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1653no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2227no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected1044no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3133no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1221no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection823no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.16no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.3 Encrypt all non-console administrative access using strong cryptography.310no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1828no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.2 Never send unprotected PANs by enduser messaging technologies.4no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.16no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.7 All non-console administrative access is encrypted using strong cryptography.10no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.228no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.4no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1216no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.7 All non-console administrative access is encrypted using strong cryptography.410no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2928no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.34no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.614no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1619no data