CRITICAL
Source
Trivy/CSPM
CSPM ID
https-only-enabled
ID
AVD-AZU-0004

Ensure the Function App can only be accessed via HTTPS. The default is false.

By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.

Impact

Anyone can access the Function App using HTTP.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Microsoft Azure Management Console.
  2. Select the “Search resources, services, and docs” option at the top and search for App Services. Step
  3. Select the “App Services” by clicking on the “Name” link to access the configuration changes.Step
  4. Scroll down the selected “App Services” navigation panel and in “Settings” click on the “TLS/SSL settings” option.Step
  5. On the “TLS/SSL settings” page check if “HTTPS Only” is “ON/OFF”. If it’s turned “OFF” then it will not redirect all non-secure HTTP requests to HTTPS. Step
  6. Repeat steps number 2 - 5 to verify other “Apps” SSL settings in the account.
  7. Navigate to the “App Services”, select the “App Service” and click on the “Name” as a link to access the configuration, select the “TLS/SSL settings” under “Settings.”Step
  8. On the “Protocol Settings” page click on the “ON” option next to “HTTPS Only” which will redirect all non-secure HTTP requests to HTTPS. HTTPS uses the SSL/TLS protocol to provide a secure connection.Step
  9. Repeat above steps to ensures “HTTPS Only” are enabled for “App Services”,ensures HTTPS Only is enabled for your App services, redirecting all HTTP traffic to HTTPS.

You can redirect all HTTP requests to the HTTPS port.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
resource "azurerm_function_app" "good_example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
  os_type                    = "linux"
  https_only                 = true
}