For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/azure/web_app_accepting_traffic_other_than_https.md. A documentation index is available at /llms.txt.

Web app accepting traffic other than HTTPS

This product is not supported for your selected Datadog site. ().

Metadata

Id: eb8c2560-8bee-4248-9d0d-e80c8641dd91

Cloud Provider: Azure

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Azure Web Apps must accept only HTTPS traffic to protect data in transit from interception, tampering, and credential or session-token exposure. For Ansible deployments using the azure_rm_webapp or azure.azcollection.azure_rm_webapp module, the https_only property must be defined and set to true (or yes). Tasks that omit https_only or set it to a false value are flagged.

Secure configuration example:

- name: Create web app with HTTPS only
  azure.azcollection.azure_rm_webapp:
    name: my-webapp
    resource_group: my-rg
    plan: my-plan
    https_only: yes

Compliant Code Examples

- name: Create a windows web app with non-exist app service plan
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myWinWebapp
    https_only: true
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
      is_linux: false
      sku: S1

Non-Compliant Code Examples

- name: Create a windows web app with non-exist app service plan
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myWinWebapp
    https_only: false
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
      is_linux: false
      sku: S1
- name: Create another windows web app
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myWinWebapp
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
      is_linux: false
      sku: S1