Azure App Service allows HTTP traffic Affecting App Service (Web Apps) service in Azure

Snyk CCSS

Network / Protocols

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00445
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

How to fix?

Set the Microsoft.Web/sites properties.httpsOnly attribute to be true.

Example Configuration

{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2021-02-01",
  "properties": {
    "httpsOnly": true
  }
  # other required fields here
}

ARM

Microsoft.Web sites

Azure App Service allows HTTP traffic Affecting App Service (Web Apps) service in Azure

Severity

Description

How to fix?

Example Configuration

ARM

Terraform

References