When Microsoft Defender for cloud finds a service which allows non-encrypted traffic – it creates a recommendation visible in the Defender for cloud, Security blade of the resource, or Azure Advisor. In this article you will learn how to act on recommendation “Function App should only be accessible over HTTPS”, fixing it both from Azure Portal and Powershell, and also – why this recommendation was created in the first place.
Enforcing HTTPS in Azure Portal
To enforce HTTPS in Function Apps follow the below steps:
1) Find your Function App in Azure portal and proceed to “Configuration”
2) Select “General settings”
3) Mark the checkbox “On” next to “HTTPS only”
4) Click “Save”.
Fixing “Function App should only be accessible over HTTPS” in Powershell
#### Finding the Function App by its name. Remember to replace with the name of your App.
PS> Get-AzWebApp -Name FunctionApp123456
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
FunctionApp123456 Running FunctionApp123456_group {functionapp123456.azurewebsites.net, functionapp… Central US
### Current state of the settings
PS> $FunctionApp= Get-AzWebApp -Name FunctionApp123456
PS> $FunctionApp.HttpsOnly
False
### Updating the settings to allow only HTTPS connections
PS> Set-AzWebApp -Name FunctionApp123456 -ResourceGroupName FunctionApp123456_group -HttpsOnly $true
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
FunctionApp123456 Running FunctionApp123456_group {functionapp123456.azurewebsites.net, functionapp… Central US
### Validating the new state of the "HTTPS Only" setting
PS> $FunctionApp= Get-AzWebApp -Name FunctionApp123456
PS> $FunctionApp.HttpsOnly
True
Why enforce HTTPS on Function Apps?
HTTPS is a de-facto standard at this point, and using non-encrypted protocols should be chosen only if it is a strict requirement (for example when using very old clients). In modern times – it should never be allowed by default. Plaintext HTTP protocol is a product of its times – with less access to the network, less use-cases for web and with less threat actors. We live in a completely different times right now. If you plug in an unpatched device to the network – you can set a timer on, and you will be surprised how fast the first unwelcomed visitors will come. With that in mind – the current approach is to put as little trust as possible into parts of any workflow. Cause even if the component is in good care at a specific moment – it might get compromised in future. And a trust put into this component will get other components compromised.
This is where TLS comes in (the encryption mechanism in HTTPS). It encrypts contents of your web requests and responses – so that third parties like ISPs or local network administrators didn’t have the visibility over the traffic. But those are not the only benefits. Through the system of trusted authorities – it is able to validate if the server was validated by the given authority, and – most importantly – if the server is who it claims to be. And the third benefit: once the traffic is encrypted between the client and server, once the server is validated to be who it is supposed to be – it also makes sure the encrypted traffic between validated parties does not get modified by any other party. It makes sure every request and response remains encrypted, unchanged, and originated from the right source.
It’s a lot of value for a single switch in Azure Portal, right?
Impact of the recommendation of Defender for cloud
Services lacking encryption are noticed by Defender for cloud and the recommendations are marked with impact “MEDIUM” or “HIGH”. Make sure to review those recommendations, as enforcing HTTPS on a Function App is not the only recommendation from this basket. Other components like Api Apps require the same treatment. And for the Function Apps themselves – make sure you implement encryption wherever possible. For the deployment you should not allow plaintext FTP and enforce FTPS.