Description:

Azure Web Apps should force secure communication by redirecting all HTTP traffic to HTTPS. Enabling HTTPS only ensures that all client requests use encrypted TLS, preventing data exposure and improving overall application security.


Rationale:

HTTPS encrypts data in transit, protecting sensitive information from interception or tampering. Requiring all traffic to use HTTPS improves user security, prevents man-in-the-middle attacks, and meets compliance requirements for secure communications.


Impact:

If HTTPS Only is disabled, users may connect over insecure HTTP. This exposes data such as credentials, tokens, and personal information. It increases the risk of session hijacking, interception, and non-compliance with security policies.


Default Value:

By default, Azure Web Apps may have HTTPS Only = Off, meaning HTTP is still allowed unless manually enforced.


Pre-requisites:

  • Permissions: Owner, Contributor, or Web App Contributor

  • Web App must support HTTPS (default for App Service)

Test Plan:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. In the portal, search for App Services and select the Web App.

  3. In the left menu, under Settings, select Configuration.

  4. In the General settings tab, locate the HTTPS Only setting.

  5. Verify whether HTTPS Only is turned On.

  1. If it is not enabled, follow the implementation steps.

Implementation Steps:

  1. Log in to the Azure Portal at https://portal.azure.com.

  2. In the portal, search for App Services and select the Web App.

  1. In the left menu, under Settings, select Configuration.

                                  

  1. In the General settings section, set the HTTPS Only option to On, and click Apply.

Backout Plan:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to App Services and select the Web App.

  3. In the left menu, under Settings, select Configuration.

  4. In the General settings section, set HTTPS Only to Off.

  5. Click Save to apply the changes.

References: