Share via

How To Remove Weak Cipher Suites Remove Enterprise Grade Edge on Azure Static Web Apps Allows

ab 20 Reputation points
2025-09-25T23:07:53.52+00:00

My company recently ran a security audit and found that azure static web apps with enterprise grade edge is using two weak ciphers.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS  
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS

I've read through lots of Q/A that seem to indicate that this is possible but on further examination of comments responding to the answer it was found that the answer was for Azure App Service instead of Azure Static Web apps. Link: https://learn.microsoft.com/en-us/answers/questions/1160695/disabling-week-tls-weak-ciphers-on-azure-static-we

Is there a way to remove the use of the weak ciphers from azure enterprise grade edge of azure static web apps? If there is a way to remove the security risk on azure static web apps' enterprise grade edge with the Standard service plan, please let me know.

Azure Static Web Apps
Azure Static Web Apps

An Azure service that provides streamlined full-stack web app development.

0 comments

Answer accepted by question author

  1. Akpesiri Ogbebor 3,115 Reputation points Volunteer Moderator
    2025-09-27T09:22:58.3633333+00:00

    Hello ab

    Thanks for contacting Microsoft Q&A. I’ll be happy to help clarify this issue.

    Thanks for sharing the details. You’re encountering a known limitation with Azure Static Web Apps (SWA) when using the Enterprise-Grade Edge feature — the platform does not currently allow you to disable or remove individual TLS cipher suites (including the CBC-based ones flagged in your audit):

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

    These cipher suites are part of the managed TLS configuration provided by the Static Web Apps infrastructure (built on Azure Front Door). Unlike App Service, SWA does not expose a “Minimum TLS Cipher Suite” setting or any other way to override the platform’s TLS negotiation.

    https://learn.microsoft.com/answers/questions/1441255/how-to-disable-weaker-tls-cipher-suites-for-static

    **Recommendations

    1. Use your own Azure Front Door (Standard/Premium):** If you need to enforce stronger TLS policies, deploy a dedicated Azure Front Door Standard/Premium in front of your Static web app.
    2. Configure a custom TLS policy to exclude older CBC cyphers.
    3. Point your custom domain to the Front Door endpoint.
    4. Lock down the SWA so it only accepts traffic from your Front Door (via access restrictions/IP allowlist).

    2. Open a Microsoft support request/feature request. If your compliance requirements require disabling these cyphers, could you raise a support ticket or submit a feature request? Cypher customisation for SWA is not yet available, but Microsoft tracks customer demand.

    1. Apply compensating controls
    • Enable and prefer TLS 1.3 (modern clients will use stronger cypher suites).
    • Configure HSTS to block downgrade attacks.
    • Monitor connections to your app to detect clients using older/weaker suites.

    Currently, there is no supported way to remove or disable weak cypher suites on Azure Static Web Apps Enterprise-Grade Edge. To meet strict compliance requirements, the recommended approach is to front your SWA with a dedicated Azure Front Door where you can fully control TLS policies.

    https://learn.microsoft.com/azure/frontdoor/end-to-end-tls

    https://learn.microsoft.com/azure/static-web-apps/enterprise-edge

    If this answers your query, do click Accept Answer and Yes. If this answer was helpful, and you have any further queries, please let us know.

    Siri

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.