Incoming client certificates should be required to be 'On'

Description

Client certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.

Remediation

From the console

  1. Log in to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Settings section, Click on Configuration.
  5. Under Incoming client certificates, set the Client Certificate Mode option to Require.