Enforce Https | Vulnerability Database

Ensure the Function App can only be accessed via HTTPS. The default is false.

By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.

Impact

Anyone can access the Function App using HTTP.

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Log in to the Microsoft Azure Management Console.
Find the search bar at the top and search for App Services.
Select the “App Service” by clicking on “Name” to go to its configuration.
Scroll down the selected “App Services” left navigation panel and under “Settings” click on the “TLS/SSL settings” option.
On the “TLS/SSL settings” page select the Bindings tab, scroll down and under the “Protocol Settings” check whether “HTTPS Only” is set to “Off”. It’s recommended to set HTTPS only to “On” to allow only secure traffic.
If the “App Service” is not using “HTTPS only” then select “On” from the slider.
Wait for the confirmation box to save changes.
Repeat steps number 3 - 7 to verify all other “Apps” are using HTTPS only in the account.

You can redirect all HTTP requests to the HTTPS port.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


 resource "azurerm_function_app" "good_example" {
   name                       = "test-azure-functions"
   location                   = azurerm_resource_group.example.location
   resource_group_name        = azurerm_resource_group.example.name
   app_service_plan_id        = azurerm_app_service_plan.example.id
   storage_account_name       = azurerm_storage_account.example.name
   storage_account_access_key = azurerm_storage_account.example.primary_access_key
   os_type                    = "linux"
   https_only                 = true
 }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#https_only