Terraform Https Only Disabled Or Missing
Description
Identifies Azure App Services and Function Apps that are not configured to require HTTPS-only access. Resources without enforced HTTPS allow insecure HTTP connections, potentially exposing sensitive data in transit to interception or tampering.
Detection Strategy
• Checks Azure resource declarations in Terraform configuration files including: App Service, Windows Web App, Linux Web App, and Function App
• Examines the resource configuration blocks for HTTPS-only enforcement settings
• Reports a vulnerability if HTTPS-only access is either disabled or the setting is missing from the configuration
• Specifically looks for resources of types: azurerm_app_service, azurerm_windows_web_app, azurerm_linux_web_app, azurerm_function_app
Vulnerable code example
resource "azurerm_linux_web_app" "example" {
name = "example-app"
location = "eastus"
resource_group_name = "example-rg"
# Security risk: No HTTPS enforcement, allowing insecure HTTP traffic
https_only = false
}
...✅ Secure code example
resource "azurerm_linux_web_app" "example" {
name = "example-app"
location = "eastus"
resource_group_name = "example-rg"
# Enforce HTTPS to prevent man-in-the-middle attacks
https_only = true
}
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.