App Service Linux security FAQs

The platform components of App Service, including Azure VMs, storage, network connections, web frameworks, management and integration features, are actively secured and hardened. App Service goes through vigorous compliance checks on a continuous basis. This article provides a compilation of resources covering the most App Service Linux security FAQs.

How to secure applications hosted in Azure App Service?

You can find recommendations to implement and general features available to fulfill the security needed of your applications hosted in App Service.

• Secure your app with the built-in App Service features
• Security recommendations for App Service
• Azure security baseline for App Service
• How to deploy a secure n-tier web app
• Deploying to Network-secured sites using Azure DevOps and Private Endpoints
• Deploying to Network-secured sites using GitHub Actions and Private Endpoints

How to edit HTTP headers for aplications hosted in App Service Linux?

There are several ways to customize response headers depending of the application, it can be done programmatically, using services as Application Gateway or Azure Front Door or implementing any web server as Nginx or Apache.

• Customize HTTP Headers programmatically
• How to customize Nginx headers for PHP Linux
• Customize Security Headers using Azure Front Door and Configure Rule Sets using Azure Front Door
• Customize HTTP Headers using Application Gateway

Is port 2222 secured for Web App Linux SSH?

We use port 2222 for SSH into your app’s container, but that doesn’t mean that port 2222 is exposed over the Internet. No matter how you use SSH in your app, all SSH traffic is handled through an endpoint on port 443. If you’re not using SSH, you don’t have to worry about closing port 2222 because it’s not exposed to the Internet.

We provide the ability to SSH into your app, but if you’re using a custom container, you need to take additional steps in order to add this ability to your app.

• App Service enable SSH

Why App Service terminates SSL at the Front-Ends?

App Service terminates SSL/TLS at the network load balancers (front-ends). That means that SSL/TLS requests never get to your app. That’s good news for you because it means that you don’t need to (and should not) implement any support for SSL/TLS into your app, since all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted or not, inspect the X-Forwarded-Proto header. Also as stated above, it’s important to understand that the front-ends where SSL/TLS is terminated are inside of our Azure data centers.

• Handle TLS termination

Which ports are used for App Service Multi-tenant and in ASE (App Service Environment)?

If you scan App Service, you’ll find several ports that are exposed for inbound connections. There’s no way to block or control access to these ports in the multi-tenant service but you block those in an App Service Environment.

• App Service ports Multi-tenant
• Inbound Network Ports Used in an App Service Environment

How to disable weaker TLS Cipher Suites?

If a customer’s organization has restrictions on what cipher suites are not be allowed, they may update their web app’s minimum TLS cipher suite property to ensure that the weaker cipher suites would be disabled for their web app. This can be done if you have:

• Multi-tenant premium App Service Plans
• ASE (App Service Environment)

How software updates are handled by App Service?

Azure manages OS patching on two levels, the physical servers and the guest virtual machines (VMs) that run the App Service resources. Both are updated monthly, which aligns to the monthly Patch Tuesday schedule. These updates are applied automatically, in a way that guarantees the high-availability SLA of Azure services.

You can find more information about OS updates, how Azure deals with significant vulnerabilities and new major and minor versions for language support in OS and runtime patching in Azure App Service.

For language support timeline:

• Node.js runtime support
• PHP runtime support
• Python runtime support
• Java runtime support
• Ruby runtime support
• .NET runtime support
• Early access support

What are the different policies that can be applicable for App Service?

Azure Policy helps to enforce organizational standards and to assess compliance at-scale, depending on the security needs, you can apply policies as AuditIfNotExists (NSAID), DeployIfNotExists (DINE), Modify policies, among others, etc.

• Azure Policy built-in definitions for Azure App Service
• Azure Policy Regulatory Compliance controls for Azure App Service
• Why use DINE and Modify policies?
• Recommendations for managing policies

What is TLS mutual authentication in App Service?

You can restrict access to your Azure App Service app by enabling different types of authentication for it. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication. This article shows how to set up your app to use client certificate authentication. Configure TLS mutual authentication for Azure App Service

How to handle secrets when using App Settings?

By default, values for app settings are hidden in the portal for security. To see a hidden value of an app setting, click its Value field. You can keep development settings in local files and production secrets as database passwords safely in App Service through app settings.

You can also store your secrets in Azure Key Vault and use Key Vault references as values for App Settings.