include::../../../shared_content/secrets/description.adoc[] == Why is this an issue? As described in the https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#authorization-keys[Azure Functions documentation], Azure Functions let you use keys to make it harder to access your HTTP function endpoints *during development*. While keys provide a default security mechanism, distributing them in public apps is a bad practice and can lead to security and maintainability issues. === What is the potential impact? The impact of this access depends on what the Azure Function does and what permissions the key has. There are three types of keys that can be used to authenticate requests to an Azure Function: * **Function key**: Provides access to a specific function. * **Host key**: Provides access to all functions within a function app. * **System key**: Provides access to all functions within a function app and allows for administrative actions. Leaking these keys can result in unintended access to the functions and data they control. Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the key. :secret_type: authentication key include::../../../shared_content/secrets/impact/data_compromise.adoc[] include::../../../shared_content/secrets/impact/data_modification.adoc[] include::../../../shared_content/secrets/impact/financial_loss.adoc[] == How to fix it === Use app-level security As described in the https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#secure-an-http-endpoint-in-production[Azure Functions documentation], you can secure your HTTP function endpoints by using app-level security, and remove the need to use hardcoded keys. The first step is thus to set the HTTP-triggered function authorization level to `anonymous`. Then, examples of app-level security include: * authentication/authorization, either from the framework of your choice or https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#why-use-the-built-in-authentication[Built-in Azure App Service Authentication/Authorization] * Azure https://learn.microsoft.com/en-us/azure/api-management/api-management-policies#authentication-policies[API Management Authentication Policies] * request authentication with the https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway[Azure App Service Environment] === Code examples ==== Noncompliant code example [source,bash] ---- curl -G \ 'https://example.azurewebsites.net/api/example' \ -d code=2PLqsO9INfpK8sgTS2BCsZXS6Dgzgz3bydKcq5TBcY8WAzFuqGlKRw==' # Noncompliant ---- == Resources include::../../../shared_content/secrets/resources/standards.adoc[] //=== Benchmarks