Azure App Service security recommendations
This article lists all the security recommendations you might see issued by the Microsoft Defender for Cloud plan - Microsoft Defender for Cloud for Azure App Service.
The recommendations that appear in your environment are based on the resources that you're protecting and on your customized configuration.
To learn about actions that you can take in response to these recommendations, see Remediate recommendations in Defender for Cloud.
Tip
If a recommendation's description says No related policy, usually it's because that recommendation is dependent on a different recommendation and its policy.
For example, the recommendation Endpoint protection health failures should be remediated relies on the recommendation that checks whether an endpoint protection solution is even installed (Endpoint protection solution should be installed). The underlying recommendation does have a policy. Limiting the policies to only the foundational recommendation simplifies policy management.
App Services recommendations
API App should only be accessible over HTTPS
Description: Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. (Related policy: API App should only be accessible over HTTPS).
Severity: Medium
CORS should not allow every resource to access API Apps
Description: Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. (Related policy: CORS should not allow every resource to access your API App).
Severity: Low
CORS should not allow every resource to access Function Apps
Description: Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. (Related policy: CORS should not allow every resource to access your Function Apps).
Severity: Low
CORS should not allow every resource to access Web Applications
Description: Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. (Related policy: CORS should not allow every resource to access your Web Applications).
Severity: Low
Diagnostic logs in App Service should be enabled
Description: Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised (No related policy).
Severity: Medium
Ensure API app has Client Certificates Incoming client certificates set to On
Description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. (Related policy: Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On').
Severity: Medium
FTPS should be required in API apps
Description: Enable FTPS enforcement for enhanced security (Related policy: FTPS only should be required in your API App).
Severity: High
FTPS should be required in function apps
Description: Enable FTPS enforcement for enhanced security (Related policy: FTPS only should be required in your Function App).
Severity: High
FTPS should be required in web apps
Description: Enable FTPS enforcement for enhanced security (Related policy: FTPS should be required in your Web App).
Severity: High
Function App should only be accessible over HTTPS
Description: Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. (Related policy: Function App should only be accessible over HTTPS).
Severity: Medium
Function apps should have Client Certificates (Incoming client certificates) enabled
Description: Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. (Related policy: Function apps should have 'Client Certificates (Incoming client certificates)' enabled).
Severity: Medium
Java should be updated to the latest version for API apps
Description: Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'Java version' is the latest, if used as a part of the API app).
Severity: Medium
Managed identity should be used in API apps
Description: For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. (Related policy: Managed identity should be used in your API App).
Severity: Medium
Managed identity should be used in function apps
Description: For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. (Related policy: Managed identity should be used in your Function App).
Severity: Medium
Managed identity should be used in web apps
Description: For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. (Related policy: Managed identity should be used in your Web App).
Severity: Medium
Microsoft Defender for App Service should be enabled
Description: Microsoft Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Microsoft Defender for App Service can discover attacks on your applications and identify emerging attacks.
Remediating this recommendation will result in charges for protecting your App Service plans. If you don't have any App Service plans in this subscription, no charges will be incurred. If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time. Learn more in Protect your web apps and APIs. (Related policy: Azure Defender for App Service should be enabled).
Severity: High
PHP should be updated to the latest version for API apps
Description: Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'PHP version' is the latest, if used as a part of the API app).
Severity: Medium
Python should be updated to the latest version for API apps
Description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'Python version' is the latest, if used as a part of the API app).
Severity: Medium
Remote debugging should be turned off for API App
Description: Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off. (Related policy: Remote debugging should be turned off for API Apps).
Severity: Low
Remote debugging should be turned off for Function App
Description: Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off. (Related policy: Remote debugging should be turned off for Function Apps).
Severity: Low
Remote debugging should be turned off for Web Applications
Description: Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off. (Related policy: Remote debugging should be turned off for Web Applications).
Severity: Low
TLS should be updated to the latest version for API apps
Description: Upgrade to the latest TLS version. (Related policy: Latest TLS version should be used in your API App).
Severity: High
TLS should be updated to the latest version for function apps
Description: Upgrade to the latest TLS version. (Related policy: Latest TLS version should be used in your Function App).
Severity: High
TLS should be updated to the latest version for web apps
Description: Upgrade to the latest TLS version. (Related policy: Latest TLS version should be used in your Web App).
Severity: High
Web Application should only be accessible over HTTPS
Description: Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. (Related policy: Web Application should only be accessible over HTTPS).
Severity: Medium
Web apps should request an SSL certificate for all incoming requests
Description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. (Related policy: Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On').
Severity: Medium