One of the encryption related Microsoft Defender for cloud recommendations is “Web Application should only be accessible over HTTPS”. HTTPS (in contrast to plain HTTP) is the current standard and it brings value to your security standpoint by encrypting web traffic. Also, serving all the content via HTTPS provides the “lock” icon next to the URL – something end users expect. And they do have a good reason for it, even though it sometimes provides a false sense of security.
Step by step guide to enforcing HTTPS in your Web Apps
1) Find your Web App in Azure Portal and go to “Configuration
2) proceed to “General settings”
3) Click “On” next to “HTTPS Only”
4) Click on a “Save” button – or a Floppy disk icon, if you’re old enough to remember it
Act on “Web Application should only be accessible over HTTPS” in Powershell
### First, lets find a Web APP with a name "webapp123456" and resourse group "webapp123456_group". Remember to replace with values from your environment
PS /home/user> Get-AzWebApp -Name webapp123456
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
webapp123456 Running webapp123456_group {webapp123456.azurewebsites.net, webapp123456.scm.azurewe… Central US
### Is the HTTPS enforced right now?
PS /home/user> (Get-AzWebApp -Name webapp123456).HttpsOnly
False
### Enforce the HTTPS on the Web App
PS /home/user> Set-AzWebApp -name webapp123456 -ResourceGroupName webapp123456_group -HttpsOnly $true
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
webapp123456 Running webapp123456_group {webapp123456.azurewebsites.net, webapp123456.scm.azurewe… Central US
### Final check if our changes are confirmed
PS /home/user> (Get-AzWebApp -Name webapp123456).HttpsOnly
True
HTTP vs HTTPS
HTTP sends all the traffic in plaintext. All the query data, all the parameters, even all the cookies. Every piece of information can be captured by various bystanders within the network and on the “hops” leading from the source to destination. As there is no protection over the sent contents – it is also susceptible to being modified during the transfer. For example in an Evil Twin attack – where an attacker sets up a replica of the access point you are connecting to. This way all the traffic flows through his device. He is able to tap into this traffic, read all the plaintext content, and modify the unprotected values.
That is why encryption plays such an important role in the modern traffic flow. HTTPS encrypts the traffic between client and server. It makes sure the sent data remains unchanged. Also – through the system of Certification Authorities – you can validate if the server really represents the organization it presents itself to represent. And with implementation of asymmetric encryption and zero-knowledge proof – there is no exchange of encryption keys. Parties can simply negotiate the encryption between each other without sharing encryption keys, and start encrypted communication that only a receiver can read. Well – technically the encryption could be broken with an enormous amount of compute power, but the moment such a power even appears on the distant horizon of human technology – we just double the used key length, which grows the complexity of a problem for another years to come.
In modern scenario – there is no reason to use HTTP. Public certificates for TLS (encryption mechanism in HTTPS) can be obtained cheaply or even for free. The only reason to use HTTP instead of HTTPS is when the application is used by very old clients (or very technically simple devices) which are not able to handle encryption. That is a valid scenario – yet not a very popular one. So, in most cases, you can simply enforce HTTPS and see absolutely no negative impact over your web application.
If you are managing a vast organization where enforcing such recommendations on Application Owners becomes an issue – you can build a custom Azure Policy for the parameter of “HttpsOnly” and assign it with effect “DeployIfNotExists”.