Risk Level: Medium
Description
This plugin ensures that HTTP is not enabled for CDN endpoints with a custom origin. All Azure CDN endpoints should enable HTTPS to secure traffic to the backend custom origin.
About the Service
CDN Profiles: Content Delivery Network is a distributed network of servers used to deliver content in an efficient manner to end-users by caching data into servers that are located near to the end-users. It helps in reducing latent time and improving user experience by providing large scalability, saving bandwidth and reducing load times.
Impact
In HTTP protocol the data transfer is in the plain text thus during transmission it is highly susceptible to a man-in-the-middle attack. HTTPS protocol adds security and trust to the network. Hence, it is advisable to use only HTTPS protocol.
Steps to Reproduce
- Log in to the Azure portal.
- From services go to CDN profiles.
- Select the profile for which issue has to be resolved.
- On the overview page only, check the list of endpoints and if HTTP (check under Protocol) is enabled under any of the endpoints, visit the Steps to Remediate section.
- Repeat for others as well.
Steps for Remediation
- Log in to the Azure portal.
- From services go to CDN profiles.
- Select the profile for which issue has to be resolved.
- On the overview page only, if the HTTP protocol is enabled under any of the endpoints, we need to create a new endpoint as protocols can be defined at the time of creation only.
- Click on + endpoint. Fill in the name for your endpoint. Select origin type and hostname from the drop-down menu as selected for the endpoint which is being recreated. Fill in the origin path and host header same as the one for the previous endpoint. By default, the HTTP port is selected, deselect it. Click on Add.
- Repeat for other vulnerable CDN profiles as well.
Please feel free to reach out to support@pingsafe.ai with any questions that you may have.
Thanks
PingSafe Support