Azure App Service allows HTTP traffic Affecting App Service (Web Apps) service in Azure
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00445
- creditSnyk Research Team
Description
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.
How to fix?
Set the Microsoft.Web/sites properties.httpsOnly attribute to be true.
Example Configuration
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"properties": {
"httpsOnly": true
}
# other required fields here
}
Set the azurerm_app_service https_only attribute to be true.
Example Configuration
resource "azurerm_app_service" "example" {
https_only = true
# other required fields here
}