App Services

HTTPS Only Disabled

Risk Level: Medium

Description  

This plugin ensures that HTTPS Only is enabled for App Services, redirecting all HTTP traffic to HTTPS. Enabling HTTPS Only traffic will redirect all non-secure HTTP requests to HTTPS. HTTPS uses the SSL/TLS protocol to provide a secure connection.

About the Service

App Services: The app services at azure offers to host web applications, the REST API and backend services for mobile and web applications. Hosting web apps on Azure lets users focus on managing the application and its data. 

Impact 

As the HTTP protocol is not secured, the communication between the user and the application will always be prone to passive attacks which may further change to active attacks because the exchange will not be encrypted. Using HTTPS protocol not only will help in securing the sensitive information of your application users but the google rank for your web app or website will be relatively higher than the sites using the HTTP protocol. 

Steps to Reproduce

Log in to the Azure portal.
Click on App Services.

Select an App Service plan from the listed apps.

Click on TLS/SSL settings under Settings.

If the HTTPS Only option is set ‘off’, follow the Steps for Remediation section given at the bottom of the page.

Repeat the process from step 3 and check for this issue in the next applications as well.

Steps for Remediation

  1. Log in to the Azure portal.
  2. Click on App Services.
  3. Select an App Service plan from the listed apps.
  4. Click on TLS/SSL settings under the Settings section.
  5. Select the ‘On’ option in front of HTTPS Only and you are all set.
  6. Repeat the steps for the rest of the applications as well where the TLS version is not set to the latest.

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support