Source
CloudSploit
ID
detect-insecure-custom-origin

Detect Insecure Custom Origin

Ensures that HTTPS is enabled for CDN endpoints with a custom origin

All Azure CDN endpoints should enable HTTPS to secure traffic to the backend custom origin.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Microsoft Azure Management Console.

  2. Select the “Search resources, services, and docs” option at the top and search for CDN. Select “Front Door and CDN profiles”.Step

  3. On the “Front Door and CDN profiles” page, click on the “Name” link to access the configuration changes.Step

  4. In the CDN details pane that opens, click on the “Endpoints” link under “Properties”.Step

  5. On the endpoint management page that opens, click on “default-route” under “Routes” column to load the route configuration page.Step

  6. On the “Update route” page, check the value of “Accepted protocols” dropdown. If it is set to “HTTP only” or “HTTP and HTTPS” then the endpoint allows insecure traffic. This is a security threat.Step

  7. Click on the “Accepted protocols” dropdown and select “HTTPS only”. This will configure the endpoint to accept only secure traffic.

  8. Ensure that the checkbox for “Redirect” is selected to “Redirect all traffic to use HTTPS”.Step

  9. Click “Update” at the bottom of the page to save the changes.

  10. Repeat steps 4 - 9 for all other CDN endpoints.