LOW
Source
Trivy/CSPM
CSPM ID
client-certificates-enabled
ID
AVD-AZU-0001

Web App accepts incoming client certificate

The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.

Impact

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Microsoft Azure Management Console.

  2. Select the “Search resources, services, and docs” option at the top and search for App Services. Step

  3. Select the “App Services” by clicking on the “Name” link to access the configuration changes.Step

  4. On left navigation panel that opens, click on Configuration tab.</br

  5. Select General settings tab on the Configurations page. Step

  6. Scroll down to check for Incoming client certificates at the bottom and select one of the following “Required”, “Allowed”, or “Optional”, according to requirement. .Step

  7. Repeat above steps to ensures “Client Certificates” are enabled for “App Services”, only allowing clients with valid certificates to reach the app. “NOTE: This plugin shows positive result when HTTP2.0 is enabled”

Enable incoming certificates for clients

1
2
3
4
5
6
7
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  client_cert_enabled = true
}