Storing, for example, a database connection string which include server name, user id and password in source code or in a configuration file is what is called ‘password leaking’. That means that anyone who has access to application source code can search through and get access to the database, because the information required to connect […]
Read More →Category: Security
TLS on Azure App Services
I wrote this article some time ago “How to disable TLS 1.0 on an Azure App Service Web App” that explains some of the reasons TLS was not configurable on the Azure App Service platform. There were many customers who wanted to disable TLS 1.0 so they could remain or become PCI compliant and at […]
Read More →What Root Certificates exist on an Azure App Service, CA Root
As you may already know SSL/TLS is offloaded on the Front Ends (*) and this is where certificate root chains are validated (AFAIK). There is no way for you to access those machines to dump out what CAs are there. The next, or closest thing I can think of is to dump them out via […]
Read More →Always get "Authorization has been denied for this request." ASP.NET Web API
I was creating an ASP.NET Web API today and when I called one of the Web APIs (/api/values) I got the following response: {“Message”:”Authorization has been denied for this request.”} It turns out by default ‘Individual User Accounts” authentication is enabled by default. See Figure 1. Figure 1, {“Message”:”Authorization has been denied for this request.”} […]
Read More →Azure App Service IP Based SSL and SNI Based SSL configuration
25-OCT-2017: If you delete an existing binding during the certificate renewal process, then you likley will get a new inbound IP address allocated. This would cause a problem with an A record DNS configuration. Therefore, to renew a certificate, upload the new certificate, noting the new thumbprint and bind that one to the App Service […]
Read More →Resetting FTP password, using Publish Profile credentials, Azure App Service
If you have ever tried to reset your deployment credentials for your Azure App Service then you would likely experience this: “User name is not available”, as seen in Figure 1. #GermanCloud Figure 1, user name is not available when changing FTP password azure app service To workaround that, use a different username, I.e. temporarily […]
Read More →Failed to save Auth settings Easy Auth Azure Authentication
When I tried to configure a a URL into the ALLOWED EXTERNAL REDIRECT URLS text box, as shown in Figure 1, I received the following error. Failed to save Auth Settings for authenticated App: {"Code":"Conflict","Message":"Cannot update the site ‘******’ because Authentication / Authorization was configured with an invalid external redirect URL ‘***.***.***.***’. All configured URLs […]
Read More →How to see the cipher suites on an Azure App Service
I wrote an article here about TLS 1.2 which listed out the cipher suite used to negotiate security settings (encryption) between a client and server via a Network Monitor trace. You can probably see the same using Wireshark. Regardless, here is a nice Wiki article about cipher suites. It was a journey getting to the […]
Read More →Azure Functions Access-Control-Allow-Credentials with CORS
There is a known issue documented on GitHub here with a title of Cross origin http request CORS fails with response header missing ‘Access-Control-Allow-Credentials: true’. Although the issue described and a solution provided, I thought I would write up what I did as I use C# and didn’t see any examples of that, so here […]
Read More →How to disable TLS 1.0 on an Azure App Service Web App
UPDATE as of 17-APR-2018 you can, read about that here. Short answer is, prior to 17-APR-2018, that you couldn’t. (see alternative solution below) The reason is that when you deploy an Azure App Service it goes into a multi-tenant scale unit. A scale unit looks something like Figure 1, which I stole from here. Also, […]
Read More →