iCompaas Support

Profile Applicability:

• Level 1

Description:

Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. This check ensures that 'HTTPS Only' is set to On to force secure connections over HTTPS.

Rationale:

Enabling HTTPS-only traffic ensures that all non-secure HTTP requests are redirected to HTTPS ports. HTTPS uses TLS/SSL protocol to provide a secure connection that is both encrypted and authenticated. It is crucial for protecting data integrity and confidentiality by ensuring that sensitive information is transmitted securely.

Impact:

Pros:

• Forces secure connections over HTTPS, ensuring data encryption and authentication.
  

• Meets industry standards and compliance requirements for data transmission security (e.g., PCI DSS).
  

• Reduces the risk of data interception or man-in-the-middle attacks.
  

Cons:

• May require configuration changes to redirect existing HTTP traffic.
  

• Can impact services that do not support HTTPS, requiring them to be updated or reconfigured.
  

Default Value:

By default, Azure App Service allows both HTTP and HTTPS traffic. The 'HTTPS Only' setting is disabled by default.

Pre-requisites:

Ensure that the web application supports HTTPS, and the necessary SSL/TLS certificates are configured.

Test Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the App Services blade.
   

3. For each App Service, select the app you want to review.
   

4. Under the Settings section, click on Configuration.
   

5. Under General Settings, ensure that HTTPS Only is set to On.
   

Using Azure CLI:

To check the 'HTTPS Only' status for an existing app, run the following command:

az webapp show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query httpsOnly

The output should return true if 'HTTPS Only' is enabled.
Implementation Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Click on the app you want to configure.
   

4. Under the Settings section, click on Configuration.
   

5. Under General Settings, set HTTPS Only to On.
   

6. Click Save to apply the changes.
   

Using Azure CLI:

To set 'HTTPS Only' for an app, run the following command:

az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --https-only true

Backout Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Click on the app for which you want to disable 'HTTPS Only'.
   

4. Under the Settings section, click on Configuration.
   

5. Under General Settings, set HTTPS Only to Off.
   

6. Click Save to apply the changes.
   

Using Azure CLI:

To disable 'HTTPS Only' for an app, run the following command:

az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --https-only false

References:

• Azure App Service: Enforcing HTTPS
  

• Microsoft Security Benchmark: Encrypt Sensitive Data in Transit