Azure AppService
About
Monitor your Azure AppServices
Security
App Service Authentication Disabled
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
Client Certificates Disabled
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.
HTTP Traffic Allowed
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port.
Managed Service Identities Disabled
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.
Unsafe TLS Version Supported
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.
App Service Not Using Latest Programming Language Version
Ensure that all Microsoft Azure App Service web applications are using the latest available version of Programming Languages in order to take advantage of the latest security fixes, performance improvements, and new functionalities and features.
Performance
HTTP 2.0 Disabled
Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.<br><br>HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.
Sources
https://www.cloudanix.com/recipelist/azure/azureappserviceaudit
https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://docs.microsoft.com/bs-latn-ba/azure/app-service/app-service-web-configure-tls-mutual-auth
https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https
https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions
https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out
this form.
