I created a new Web App on D1 App Service Plan. I just published the application (.Net Core 2.2 app) from Visual Studio. I see that I can access my app with HTTPS and the browser tells me that this is a secured connection (with a padlock). How did that happen? When I go to TLS/SSL section of my Web App settings, there are no certificates added.
Even without the custom domain, you have SSL enabled for your site. By default, Azure secures the *.azurewebsites.net wildcard domain with a single SSL certificate, so your clients can already access your app with https.