Weak ciphers & amend headers on app proxy application

Matthew Riddler 21 Reputation points


My company has just deployed a azure app proxy application, pointing to an internal server.
Authentication is done at the app proxy instance.
As part of this we have had a vulnerability scan completed & we have 2 things that need looking at.

We need to set the HSTS header & it is also showing as having weak Ciphers.

Is there a way to change these settings at the app proxy layer, or do I need an application gateway in front (not too sure if you can put an app gateway in front of an app proxy app).
I couldn't figure out what category to put this in with a support call with Microsoft.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,548 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,506 Reputation points

    @MatthewRiddler-9775 The server where you have installed the App Proxy Connector establishes outbound connection to the App Proxy Service in Azure. It sends all Cipher Suites (enabled on the connector server) in the client hello during TLS Handshake and in server hello, the Azure App Proxy service responds with the cipher suite which is strongest and common between them. So, in order to remove the use of week ciphers, you can disable them from the App Proxy Connector server.

    Read more: https://support.microsoft.com/en-in/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Matthew Riddler 21 Reputation points

    Thanks @amanpreetsingh-msft. The connectors were running old ciphers. Some other sites (still app proxy) had different ciphers. They were pointing to a different connector group. With better ciphers.
    Will arrange to get these updated.