Forum Discussion

jcvst's avatar
jcvst
Brass Contributor
Nov 12, 2023

Securing WebApp Server -

I recently had a discussing with a junior co-worker around securing WebApp servers, so I decided to post this, my thoughts around it. What am I missing?

  • Ensure your web application is secured by implementing HTTPS and employing a TLS/SSL certificate to encrypt communication between the app and its users. 

  • Enhance security by enforcing HTTPS for all web app requests, while also disabling insecure protocols like HTTP, TLS 1.0, and FTP. Achieve this through App Service settings or by adding a redirect rule in your web.config file.

  • Safeguard your web app by configuring authentication measures, restricting access to users within your organization. Utilize Azure Active Directory (Azure AD) for user authentication and authorization, with the option to enable multi-factor authentication (MFA) for an additional layer of security.

  • Employ managed identities to access the Azure data plane (e.g., Azure Storage, Azure SQL Database, Azure Key Vault) from your web app without storing credentials in your code. Managed identities offer an Azure AD-managed identity for your app, automatically rotating access tokens.

  • Access Microsoft Graph to retrieve user or non-user data for your web app, utilizing the Microsoft Graph SDK or REST API. To enable this, register your app with Azure AD and grant the necessary permissions to access Microsoft Graph.

  • Establish an Azure Key Vault to securely store and manage sensitive information such as connection strings, passwords, certificates, and encryption keys. Leverage Azure Key Vault to inject secrets into your web app at runtime, avoiding exposure in code or configuration files. Additionally, use it to generate or upload certificates for your web app.

  • Enhance the security of your web app by using private endpoints to connect to other Azure resources within a virtual network (VNet). Private endpoints provide a non-public IP address for your web app, preventing exposure to the internet. This setup helps prevent data exfiltration from your VNet and ensures a secure connection from on-premises networks using a VPN or ExpressRoute private peering.

Resources