Security Best Practices for Azure App Service Web Apps, Part 2

In our previous post on this topic, we learned how to configure custom domain names and certificates for web applications developed using Microsoft’s Azure App Service. Regardless of whether you use a custom domain for your Azure web application, by default HTTPS is not strictly enforced for Azure web applications. This means that your web application will be available both over plain HTTP and HTTPS. HTTP is a clear-text protocol, with sensitive information sent unencrypted over the network. In this post, we will see how we can enforce HTTPS for web applications developed using Azure App Service.

 

Enforce HTTPS 

To enforce HTTPS for a web application, use the URL Rewrite module provided by the Azure App Service. The module is similar to the URL Rewrite module in Microsoft’s Internet Information Services, but Azure’s can be used for many types (ASP.NET, PHP, Node.js, Java, or Python) of web applications developed using Azure App Service.

URL Rewrite rules are defined under the <system.WebServer> section of the web.config file. If there is no web.config file, then create one. Otherwise add these URL Rewrite rules to the current config file:

 

<?xml version=”1.0″ encoding=”UTF-8″?>

<configuration>

<system.webServer>

<rewrite>

<rules>

<rule name=”Force HTTPS” enabled=”true”>

<match url=”(.*)” ignoreCase=”false” />

<conditions>

<add input=”{HTTPS}” pattern=”off” />

</conditions>

<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” appendQueryString=”true” redirectType=”Permanent” />

</rule>

<rule name=”Rule2″ enabled=”true”>

………………………………

………………………………

</rule>

</rules>

</rewrite>

</system.webServer>

</configuration>

Sample web.config file taken from Azure’s website.

 

The web.config file should be placed in the root directory of your web application. If a web.config already exists with URL Rewrite rules, then ensure that the first URL Rewrite rule is always for HTTPS redirection, as shown in the preceding example.

What if you use PHP, Node.js, Java, or Python Django, which have no web.config file? Follow these instructions:

1. Connect using your favorite deployment method.

PHP: Save the preceding sample web.config file without rule 2 and put it in the root directory of your web application.

Java: A web.config file is automatically created for Java applications when it is deployed by the Azure App Service. Download the web.config file and add the <rewrite> section without rule 2 from the example into the <system.webServer> section.

JavaScript and Python Django: The web.config file is automatically created for Node.js and Python Django applications when it is deployed by the Azure App Service. First download the web.config file. Next, under the <rules> section, add the first rule for HTTPS redirection as shown in the example. Don’t delete other existing rules; just add this new rule as the first rule.

.NET: Download the web.config file and add the <rewrite> section without rule 2 from the example into the <system.webServer> section. If the <rewrite> section exists, then add the HTTP redirection rule from the example as the first rule. For .NET MVC applications, use the RequireHttps filter instead of URL Rewrite.

2. Redeploy your web application and observe all HTTP requests being redirected to HTTPS.

 

HTTP Strict Transport Security (HSTS)

The preceding method of enforcing HTTPS works redirection. If a user issues a request over HTTP, it will be redirected to HTTPS. The problem here is that the initial HTTP request is vulnerable to a man-in-the-middle attack, and an attacker can redirect a user to a malicious page. For example, a user connects to open WiFi at an airport or café and requests a web application over HTTP. Because this WiFi is controlled by the attacker, the user is redirected to a malicious page instead of the real web application. To protect users from such scenarios, web applications can use an HSTS header. Through HSTS, web applications can instruct browsers that they can be accessed only using HTTPS. (HSTS can solve the preceding problem only if a user has previously accessed the web application over HTTPS.)

To enable HSTS, add an outbound rule in web.config, as shown:

<?xml version=”1.0” encoding=”UTF-8″?>

<configuration>

<system.webServer>

<rewrite>

<rules>

<rule name=”HTTP to HTTPS redirect” stopProcessing=”true”>

<match url=”(.*)” />

<conditions>

<add input=”{HTTPS}” pattern=”off” ignoreCase=”true” />

</conditions>

<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}”

redirectType=”Permanent” />

</rule>

</rules>

<outboundRules>

                <rule name=”Add Strict-Transport-Security when HTTPS” enabled=”true”>

                    <match serverVariable=”RESPONSE_Strict_Transport_Security”

                        pattern=”.*” />

                    <conditions>

                        <add input=”{HTTPS}” pattern=”on” ignoreCase=”true” />

                    </conditions>

                    <action type=”Rewrite” value=”max-age=31536000″ />

                </rule>

            </outboundRules>

</rewrite>

</system.webServer>

</configuration>

Sample HSTS solution provided by Doug Wilson.

 

References

https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/#bkmk_enforce

https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

This blog post was written by Piyush Mittal.

Leave a Comment

7 + three =