LOW
Source
Trivy/CSPM
CSPM ID
client-certificates-enabled
ID
AVD-AZU-0001

Web App accepts incoming client certificate

The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.

Impact

Mutual TLS is not being used

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Microsoft Azure Management Console.
  2. Select the “Search resources, services, and docs” option at the top and search for App Services. Step
  3. Select the “App Services” by clicking on the “Name” link to access the configuration changes.Step
  4. Scroll down the selected “App Services” navigation panel and in “Settings” click on the “TLS/SSL settings” option.</br
  5. On the “TLS/SSL settings” page check if “Incoming client certificates” is “ON/OFF”. If it’s turned “OFF” then it will not block all clients who do not have a valid certificate from accessing the app. Step
  6. Repeat steps number 2 - 5 to verify other “Apps” SSL settings in the account.
  7. Navigate to the “App Services”, select the “App Service” and click on the “Name” as a link to access the configuration, select the “TLS/SSL settings” under “Settings.”Step
  8. On the “Protocol Settings” page click on the “ON” option next to “Incoming client certificates” which only allows clients with valid certificates to reach the app. Step
  9. Repeat above steps to ensures “Client Certificates” are enabled for “App Services”, only allowing clients with valid certificates to reach the app.

Enable incoming certificates for clients

1
2
3
4
5
6
7
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  client_cert_enabled = true
}