Web App accepts incoming client certificate
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | appservice |
| Provider | Azure |
Description#
The web application is configured without requiring incoming client certificates, meaning mutual TLS authentication is not enforced. This allows any client to connect without verifying their identity through a certificate.
Impact#
Without client certificate validation, unauthorized clients can access the application, increasing the risk of data exposure and unauthorized actions. Attackers could exploit this to impersonate legitimate users or automate malicious access, reducing the overall security of the app.
Resolution#
Enable incoming certificates for clients