The web app should redirect all HTTP traffic to HTTPS

Description

Azure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Enabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.

Remediation

From the console

  1. Log in to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Setting section, click on TLS/SSL settings.
  5. Under the Bindings pane, set HTTPS Only to On under the Protocol Settings section.