Skip to main content
Back to the Azure Footguns Database
SecurityHighOccasionalAZF-0034

HTTPS-only turned off on a storage account or web app allows cleartext HTTP again

Secure transfer on Storage, or HTTPS-only on App Service, gets switched off and the endpoint starts accepting plaintext HTTP requests.

Footgun ID
AZF-0034 (Azure Footgun No. 34)
Azure service
Azure Storage / App Service
Resource type
Microsoft.Storage/storageAccounts
Updated
July 1, 2026

What it is

The setting that forces encrypted transport gets disabled. On Azure Storage it is Secure transfer required (properties.supportsHttpsTrafficOnly); on App Service it is HTTPS Only (properties.httpsOnly). With it off, the endpoint no longer rejects or redirects plain http:// requests, so cleartext traffic is accepted.

Impact (security)
Data-plane traffic accepted over unencrypted HTTP
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

The two settings default differently. On Storage, supportsHttpsTrafficOnly is on by default on new accounts, so the risk is someone turning it off. On App Service, httpsOnly defaults to false on new web apps, so the risk is that it is never turned on in the first place. Either way the setting ends up off for a short-term reason: an old SDK or device that speaks only HTTP, a health-check probe that isn't configured for TLS, or a quick test that never gets reverted. Flipping (or never flipping) the property makes the immediate error go away.

Because HTTPS still works, the app and its dashboards look completely normal. Nothing signals that the endpoint has quietly started answering unencrypted requests too, so the setting stays off long after the reason for changing it is gone.

What it costs / blast radius

This is a transport-security regression, not a cost line. Allowing HTTP means credentials, access keys, SAS tokens, and payloads can traverse the network in cleartext, exposing them to interception and to man-in-the-middle downgrade. It also breaks common compliance requirements that mandate encryption in transit. The blast radius is any client that connects over the unencrypted path, whether by mistake or because an attacker steered it there. (Azure behavior; secure transfer is the default and only off when someone disables it.)

See it

Footgun: secure transfer disabled on Storage (App Service has the same trap via httpsOnly)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata'
  location: location
  kind: 'StorageV2'
  sku: { name: 'Standard_LRS' }
  properties: {
    supportsHttpsTrafficOnly: false   // now accepts plaintext http:// requests
  }
}
Fix: require encrypted transport (httpsOnly: true on App Service)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata'
  location: location
  kind: 'StorageV2'
  sku: { name: 'Standard_LRS' }
  properties: {
    supportsHttpsTrafficOnly: true    // reject HTTP; fix the client to speak TLS
  }
}

How StratoLens helps

StratoLens tracks the secure-transfer and HTTPS-only settings on storage accounts and web apps across every subscription, and flags the moment either flips from enabled to disabled, with the before/after values and when it happened. An endpoint that started accepting cleartext HTTP surfaces as a weakening event, not as a config edit nobody circles back to.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.