Terraform Auth Not Enabled
Description
Azure App Service authentication provides built-in authentication and authorization support to secure web applications. When authentication is disabled or not configured, applications become vulnerable to unauthorized access since there is no authentication layer protecting the endpoints.
Detection Strategy
• Check Azure App Service resource blocks in Terraform configuration
• Report a vulnerability if the 'auth_settings' block is missing in the resource configuration
• Report a vulnerability if 'auth_settings' has enabled = false explicitly set
• Ensure all App Service resources have authentication enabled through auth_settings configuration
Vulnerable code example
resource "azurerm_app_service" "vulnerable" {
name = "myapp"
resource_group_name = "my-rg"
location = "eastus"
app_service_plan_id = "plan-id"
# Vulnerable: No auth_settings block enables unauthenticated access
site_config {
always_on = true...✅ Secure code example
resource "azurerm_app_service" "secure1" {
name = "myapp"
resource_group_name = "my-rg"
location = "eastus"
app_service_plan_id = "plan-id"
client_cert_enabled = true # Enable client certificate authentication
site_config {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.