enable-https-only
Explanation
By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.
Possible Impact
Anyone can access App Service using HTTP.
Suggested Resolution
Enable HTTPS only
Insecure Example
The following example will fail the azure-appservice-enable-https-only check.
resource "azurerm_app_service" "bad_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
}
Secure Example
The following example will pass the azure-appservice-enable-https-only check.
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
}