- Consider what level of logging is necessary to meet your organization’s compliance requirements.
- Review your security requirements to determine if they allow your web applications to be run on shared network infrastructure or if they require the complete network/virtual machine isolation available with App Service Environments.
- Review which Web Application Firewall rulesets and/or custom rules are necessary to meet your security and compliance requirements.
- Evaluate the security of your software supply chain and determine the tools and processes in place to automatically patch application dependency vulnerabilities and reliably deploy them into your environment.
- Use Private Endpoint to privately access Azure services through your vNet
- Use Azure Policy to assess and enforce Regulatory Compliance controls
- Apps should only be accessible over HTTPS.
- Use the latest TLS version when encrypting information in transit.
- Review the list of SSL cyphers.
- Store application secrets (database credentials, API tokens, private keys) in Azure Key Vault and configure your App Service app to access them securely with a Managed Identity. Determine when to use Azure Key Vault vs Azure App Configuration with the guidance in mind.
- Enable Cross-Origin Resource Sharing (CORS) within App Services or using your own CORS utilities to indicate which origins the user’s browser should permit resources to be loaded from.
- When deploying containerized web applications to App Services, enable Azure Defender for container registries to automatically scan images for vulnerabilities.
- Enable Azure Defender for App Service to assess the security of your web applications and detect threats to your App Service resources.
- Use Private Endpoint for Azure Cache for Redis Enterprise