How to enforce HTTPS only (no redirect, block HTTP) on Azure App Service / Web App

Question

Microsoft's own documentation on HSTS says the following regarding HSTS, HTTPS redirection, and APIs:

Web APIs should either:

• Not listen on HTTP.
• Close the connection with status code 400 (Bad Request) and not serve the request.

…

… a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.

My takeaway is: APIs should not redirect, since clients may happily send sensitive data over HTTP and everything "just works" due to the redirection. Even for browsers and when using HSTS, the first request (with potentially sensitive data) may be done using HTTP. Instead, APIs should fail HTTP requests and respond only via HTTPS.

After having spent the better part of the day researching this, I find that in Azure App Service / Web App, there seems to be no simple way to follow these recommendations. Regardless of whether "HTTPS Only" is On or Off, the API can be called via HTTP: If On, it redirects to HTTPS, and if Off, it's fully available with HTTP without redirection. One would think there'd be a simple way to make the app service / web app listen only over HTTPS. For example if the "HTTPS Only" button was Off/Redirect/On.

The documentations says that:

To disable HTTP redirection in an API, set the ASPNETCORE_URLS environment variable or use the --urls command line flag. For more information, see Use multiple environments in ASP.NET Core and 5 ways to set the URLs for an ASP.NET Core app by Andrew Lock.

Unfortunately, neither of these two links describe whether this is relevant for App Service / Web App, or what the environment variables should be. I have not been able to get it to work. It also seems that this would require duplicating any custom domains, forcing you to remember to keep the environment variable in sync with changes to custom domains.

How can I make Azure App Service / Web App listen only on HTTPS?

Answer 1

My current workaround is to deploy the following web.config which, ironically, requires "HTTPS Only" to be Off for the HTTP request to reach the app service and be rejected. However, it does do the job of ensuring that no HTTP-only API clients will be developed, since they simply won't work from the outset.

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Disable HTTP" enabled="true" stopProcessing="true">
          <match url="(.*)" ignoreCase="false" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
            <add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
            <add input="{REMOTE_ADDR}" pattern="^100?\." negate="true" />
          </conditions>
          <action type="CustomResponse" statusCode="400" statusReason="HTTPS Required" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

(Conditions from this blog post .)

If anyone has a better, simpler, or more official method, I'll gladly accept that answer. Also, I'm not sure the the WARMUP_REQUEST part works (copied from elsewhere); if I change CustomResponse to AbortRequest , the slot swap operation fails because the warmup requests are dropped.