Azure - How to fix "Web application should only be accessible over HTTPS" warning?
In an Azure app service > security, the following warning is displayed:
Question How to set the application for https only?
Already tried:
- edit the web.config in app service editor (XML) to create a redirection rule, which seems to be working but not removing the warning
- enable https only in custom domains (off -> ON)
- found a setting in an ARM template that seems to be related to this, but cannot edit template for the existing app
- looked for a solution in appsettings.json (not found)
Thank you for your help!
If you go via Advisor - Security, you can click on the recommendations to see Description, General information, Threats and Remediation Steps.
For your recommendation, this is available:
Remediation steps
To redirect all HTTP traffic to HTTPS, we recommend the following steps:
1. Go to the app service custom domains page
2. In the HTTPS Only toggle select On
I can imagine recommendations wil not be update right away. Besides a statement these are held in cache somewhere, I could not find any documentation on how often recommendations are refreshed.
Update - found this:
Advisor relies on backend telemetry to update its recommendation list. There will always be some delay between resolving a recommendation and seeing it removed from the list. If more people also feel strongly about this issue, we can prioritize accordingly.
More information at Allow the ability to refresh Advisor recommendations