The web app should redirect all HTTP traffic to HTTPS


Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0


Azure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.


Enabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.


From the console

  1. Login to Azure Portal using
  2. Go to App Services
  3. Click on each app
  4. Under the Settings section, click on SSL settings
  5. Under Protocol Settings, set HTTPS Only to On.

From the command line

To set the HTTPS-only traffic value for an existing app, run the following command: az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --set httpsOnly=true'


When enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.



CIS Controls

Version 7 7 - Email and Web Browser Protections