1

We have an azure website, where we have the https only setting turned on, and we also have url rewrite rules set up as well so that when you go to our site at http://example.com (we have a custom domain that is secured with a cert using IP SSL - both example.com and www.example.com), you get redirected to https://example.com. When using a web browser, this clearly works. However, when using a tool such as Postman or vulnerability scanning, such as ZAP, the server is clearly responding to http and not redirecting the request to https. We are currently failing a vulnerability scan due to this, and we cannot figure out what else to do to get the site to force https. As I said, it works when using a web browser, but not with direct web requests from non-browser tools. Thanks!

user1368182
  • 423
  • 7
  • 18
  • 1
    There exists extensible documentation for this use case on the Web. Nonetheless I don't think that using url rewrite rules will actually translate http to https. To my opinion your reverse proxy or whatever is serving your content should instead send a http redirect. Postman will work in that setup as by default it will follow redirects. We use this method in production and pass all security scans. You may also pin your domain (or subdomain) to https by configuring HSTS. – bsaverino Jun 10 '20 at 21:24
  • We did just add the header - would that suffice for HSTS? – user1368182 Jun 10 '20 at 21:34
  • 1
    I'm not familiar with Azure so I cannot tell from here. But you still need to implement a valid redirect (or equivalent) when hitting HTTP so that the user gets redirected to HTTPS. Does this link rejoin what you did? https://stackoverflow.com/questions/39244265/azure-web-app-redirect-http-to-https – bsaverino Jun 10 '20 at 21:54
  • Yes - we have a setting now in Azure called Https Only, that you can turn on to force it, which we have....and before that setting was created, we already had the rewrite rules that do the permanent redirect to https as well...so we have both. I don't know what else we can do. If the ZAP test is only going to show that we allow http because we return a 301 redirect to https with that request, then I'm not sure what else we can do, short of just blocking access to the site altogether instead of the redirect. – user1368182 Jun 10 '20 at 22:49
  • 1
    I guess this is good then. From my experience, it is not a security threat at all to have an http redirect (301) in place. It is even best practice to do (Googling will broadly confirm this assertion). So I suppose that if you have a warning it should be dismissed, and if it is an error then it might be caused by ZAP configuration (redirects are correctly received and followed?). Maybe just make sure also that "Https Only" setting and rewrite rules do not conflict at some point. – bsaverino Jun 11 '20 at 01:24

0 Answers0