terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only
semgrep
Author
unknown
Download Count*
License
By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.
Run Locally
Run in CI
Defintion
rules:
- id: appservice-enable-https-only
message: By default, clients can connect to App Service by using both HTTP or
HTTPS. HTTP should be disabled enabling the HTTPS Only setting.
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_app_service" "..." {
...
https_only = true
...
}
- pattern-either:
- pattern-inside: |
resource "azurerm_app_service" "..." {
...
}
- pattern-inside: |
resource "azurerm_app_service" "..." {
...
https_only = false
...
}
metadata:
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only
- https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- hcl
severity: ERROR
Examples
appservice-enable-https-only.tf
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
}
# ruleid: appservice-enable-https-only
resource "azurerm_app_service" "bad_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = false
}
# ruleid: appservice-enable-https-only
resource "azurerm_app_service" "bad_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
}
Short Link: https://sg.run/GOKp