Cyscale
Back to controls

Ensure 'HTTPS Only' is set to 'On' for App Service

Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Category

Controls

High

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Rationale

Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.

Impact

When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app.

Default Value

By default, HTTPS-only feature will be disabled when a new app is created using the command-line tool or Azure Portal console.

Remediation guidance

Azure Remediation

Service-wide fix (recommended): enforce HTTPS-only at the App Service platform layer and combine it with minimum TLS version and certificate hygiene for internet-facing apps.

Azure portal

  1. Open the App Service.
  2. Go to Configuration.
  3. Under General settings, set HTTPS Only to On.
  4. Save the change.

Azure CLI

az webapp update   --resource-group <resource-group>   --name <app-name>   --set httpsOnly=true

Validate the setting:

az webapp show   --resource-group <resource-group>   --name <app-name>   --query httpsOnly

PowerShell

Set-AzWebApp -ResourceGroupName <resource-group> -Name <app-name> -HttpsOnly $true

Operational notes

  • HTTPS-only redirects HTTP to HTTPS, but it does not by itself fix weak TLS versions or certificate problems. Pair it with the App Service TLS controls.
  • If the app sits behind Front Door, Application Gateway, or another reverse proxy, keep HTTPS-only enabled anyway unless you have a very specific platform design that terminates and re-encrypts elsewhere.

References

  • https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings
  • https://learn.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-lts

Query logic

These are the stored checks tied to this control.

Azure app services allowing plain HTTP

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(where: { httpsOnly: false }) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon