github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/appservice/enforce_https.go (about) 1 package appservice 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnforceHttps = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0004", 14 Provider: providers.AzureProvider, 15 Service: "appservice", 16 ShortCode: "enforce-https", 17 Summary: "Ensure the Function App can only be accessed via HTTPS. The default is false.", 18 Impact: "Anyone can access the Function App using HTTP.", 19 Resolution: "You can redirect all HTTP requests to the HTTPS port.", 20 Explanation: `By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.`, 21 Links: []string{ 22 "https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https", 23 "https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformEnforceHttpsGoodExamples, 27 BadExamples: terraformEnforceHttpsBadExamples, 28 Links: terraformEnforceHttpsLinks, 29 RemediationMarkdown: terraformEnforceHttpsRemediationMarkdown, 30 }, 31 Severity: severity.Critical, 32 }, 33 func(s *state.State) (results scan.Results) { 34 for _, functionApp := range s.Azure.AppService.FunctionApps { 35 if functionApp.Metadata.IsUnmanaged() { 36 continue 37 } 38 if functionApp.HTTPSOnly.IsFalse() { 39 results.Add( 40 "Function app does not have HTTPS enforced.", 41 functionApp.HTTPSOnly, 42 ) 43 } else { 44 results.AddPassed(&functionApp) 45 } 46 } 47 return 48 }, 49 )