Azure App Service Web app does not redirect HTTP to HTTPS
Description
Azure Web Apps by default allows sites to run under both HTTP and HTTPS, and can be accessed by anyone using non-secure HTTP links. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port.
We recommend you enforce HTTPS-only traffic to increase security. This will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.
Fix - Runtime
Azure Portal
To change the policy using the Azure Portal, follow these steps:
- Log in to the Azure Portal at https://portal.azure.com.
- Navigate to App Services.
- For each App, click App.
a) Navigate to the Setting section.
b) Click SSL settings.
c) Navigate to the Protocol Settings section.
d) Set HTTPS Only to On.
CLI Command
To set HTTPS-only traffic for an existing app, use the following command:
az webapp update
--resource-group <RESOURCE_GROUP_NAME>
--name <APP_NAME>
--set httpsOnly=false
Fix - Buildtime
Terraform
Resource: azurerm_app_service
Argument: https_only
resource "azurerm_app_service" "example" {
...
+ https_only = true
}