19

Is there a way with Azure Functions to force connections to be over HTTPS?

I'm not seeing it in the App Settings, and I don't see any reference to web.config for Azure Functions.

Janusz Nowak
  • 2,595
  • 1
  • 17
  • 36
Doug
  • 6,446
  • 9
  • 74
  • 107
  • You're able to configure your Function App to use SSL using your certificate. In this way, you'll keep your Functions safer. This can be configured at **Platform Feature** on Functions Portal. There you'll able to find this option. – Jose Roberto Araujo Jun 22 '17 at 19:42
  • Does this disable HTTP? I didn't think it would? – Doug Jun 26 '17 at 14:14

4 Answers4

26

Update November 2017

In the Azure portal, go to your function app.

Platform features > Custom Domains > toggle HTTPS Only to 'On'.

Anyone using HTTP will receive a 301 Moved Permanently and be redirected to the HTTPS endpoint. You do not need to actually add a new hostname/domain to toggle this feature. This appears to work with both consumption and app service plans.

Cody
  • 2,451
  • 2
  • 20
  • 19
  • 1
    It's notable that this still works, even if you are only using an azurewebsites.net subdomain. – Andrew Palmer Dec 04 '17 at 20:49
  • 1
    Please note that if you are regularly deploying new builds using deploy slots, this setting is NOT INHERITED along with other configuration settings when you create the new deploy slot. If you do not set this in the deploy slot's custom domain setting, then it will LOOK like it gets pushed to production when you swap deploy and production, but as soon as you log out, it will unset itself. I reported the bug, but until this is fixed consider using a web.config or code solution, e.g. http://microsoftazurewebsitescheatsheet.info/#force-https – Will Lanni Mar 23 '18 at 20:31
  • Also note that this setting _does not prevent_ requests from being sent unencrypted. A redirection response is returned, but if the original request includes sensitive data, auth tokens, or other things that _must_ be encrypted, they'll still be sent up to the server unencrypted at first. – Jonathan Gilbert Apr 22 '22 at 15:06
5

I don't think there is a way today, but I could see making a case for enforcing this globally (or at least as an option).

Please open an issue https://github.com/Azure/azure-webjobs-sdk-script/ so it can get properly tracked.

David Ebbo
  • 42,443
  • 8
  • 103
  • 117
  • For others looking for the new feature request, it can be found here: https://github.com/Azure/azure-webjobs-sdk-script/issues/1228 – Doug Jun 26 '17 at 14:14
2

You can do this via az CLI via the flag --https-only true for az functionapp create.

See az functionapp docs.

Or az functionapp update --set httpsOnly=true ... if the app already exists.

Ken Jiiii
  • 474
  • 9
  • 21
0

You can do it by going to your function app in azure portal.

Under the settings section you will see the "custom domains" as a selection option. enter image description here

Now on the new page you will see the toggle called HTTPS Only, On it and you will be able to access you api endpoint with "https". Like this as below.

enter image description here

Sohaib
  • 675
  • 8
  • 15