Skip to content

Commit 80c66fa

Browse files
przlplxprzlplx
authored
Improve clarity and grammar in security FAQ.
Edit review per CI 3446
1 parent f0b746c commit 80c66fa

1 file changed

Lines changed: 29 additions & 29 deletions

File tree

support/azure/app-service/faqs-web-app-security.md

Lines changed: 29 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -10,38 +10,38 @@ ms.service: azure-app-service
1010
---
1111
# Frequently asked questions about App Service security
1212

13-
The [Microsoft Security Response Center](https://msrc.microsoft.com/) (MSRC) investigates all reports of security vulnerabilities that affect Microsoft products and services, and provides the information in the [Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability) as part of the ongoing effort to help you manage security risks and help keep your systems protected.
13+
[Microsoft Security Response Center](https://msrc.microsoft.com/) (MSRC) investigates all reports of security vulnerabilities that affect Microsoft products and services. MSRC provides this information in the [Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability) as part of an ongoing effort to help you manage security risks and keep your systems protected.
1414

15-
If your question isn't answered, submit a [support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot) with the the number of the CVE.
15+
If your question isn't answered here, submit a [support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot) that includes the number of the Common Vulnerabilities and Exposures bulletin (CVE).
1616

1717
To report a vulnerability, see [Report an issue](https://msrc.microsoft.com/report/vulnerability/new).
1818

1919
## FAQs
2020

21-
### How do I know whether a specific CVE (common vulnerability) or known security issue applies to my web app?
21+
### How do I know whether a specific CVE or known security issue applies to my web app?
2222

23-
App Service is a platform with various underlying technologies like Windows, Linux, and web application frameworks. Updates are applied at a routine cadence for OS, host runtime, and Microsoft image repo.
23+
App Service is a platform that has various underlying technologies, such as Windows, Linux, and web application frameworks. Updates are applied at a routine cadence for OS, host runtime, and Microsoft image repo.
2424

25-
- Check [this article](/azure/app-service/overview-patch-os-runtime) understand OS and runtime patching in Azure App Service regarding the OS or software in App Service.
26-
- [Check Guest OS patches details](/azure/cloud-services/cloud-services-guestos-msrc-releases) to understand the updates applied to the Azure Guest OS.
25+
- Check [this article](/azure/app-service/overview-patch-os-runtime) to understand OS and runtime updating in Azure App Service regarding the OS or software in App Service.
26+
- Check [Guest OS update details](/azure/cloud-services/cloud-services-guestos-msrc-releases) to understand the updates that are applied to the Azure Guest OS.
2727

28-
If you still need help, gather the following information before submitting a request to Azure Support:
28+
If you still need help, gather the following information before you submit a request to Azure support:
2929

30-
- Specify the security patch you are inquiring about.
31-
- Confirm the security patch version deployed on Azure for the software.
32-
- Determine whether the patch has already been applied in Azure.
30+
- Specify the security update that you're inquiring about.
31+
- Verify the security update version of the software that's deployed on Azure.
32+
- Determine whether the update is already applied in Azure.
3333

3434
### Is TLS 1.3 supported on Azure App Service?
3535

3636
For incoming requests to your web app, App Service supports TLS versions 1.0, 1.1, 1.2, and 1.3. See [Azure App Service TLS overview](/azure/app-service/overview-tls) for more information.
3737

3838
### How do I disable weak ciphers on Azure App Service?
3939

40-
A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. The clients make a request to server with its list of cipher suites it supports, and the server (front-end of the web app) will pick the most secure one between intersection of the ones supported by both client and server. To help you have a clearer understanding of Cipher suites, see [Demystifying Cipher Suites on Azure App Services](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/demystifying-cipher-suites-on-azure-app-services/ba-p/2656254).
40+
A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. A client makes a request to the server that includes a list of cipher suites that it supports, and the server (front-end of the web app) picks the most secure suite that's supported by both client and server. For a more comprehensive discussion of cipher suites, see [Demystifying Cipher Suites on Azure App Services](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/demystifying-cipher-suites-on-azure-app-services/ba-p/2656254).
4141

42-
For [Azure App Service Environment (ASE)](/azure/app-service/environment/overview), you can set your own ciphers through Azure Resource Explorer. For detail steps, see[Change TLS cipher suite order](/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order).
42+
For [Azure App Service Environment (ASE)](/azure/app-service/environment/overview), you can set your own ciphers through Azure Resource Explorer. For detailed steps, see [Change TLS cipher suite order](/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order).
4343

44-
To disable Weak TLS cipher Suites for web apps on multitenant, see [Disabling Weaker TLS Cipher Suites for web apps on multitenant Premium App Service Plans](https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html).
44+
To disable Weak TLS cipher suites for web apps on multitenant setups, see [Disabling weaker TLS ciphers suites for web apps on multitenant Premium App Service plans](https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html).
4545

4646
For more information, see [FAQ on App Service cipher suites](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/faq-on-app-service-cipher-suites/ba-p/3881922).
4747

@@ -51,38 +51,38 @@ By default, Distributed Denial of Service (DDoS) protection is not enabled for A
5151

5252
You can use [Azure DDoS Protection](/azure/ddos-protection/ddos-protection-overview) to protect your Azure resources from attacks. Azure DDoS Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.
5353

54-
Note that [Azure Traffic Manager](/azure/traffic-manager/traffic-manager-overview) is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness. However, Traffic Manager does not provide protection against DDoS attacks.
54+
Notice that [Azure Traffic Manager](/azure/traffic-manager/traffic-manager-overview) is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness. However, Traffic Manager does not provide protection against DDoS attacks.
5555

56-
### I suspect my website is being hacked, what should I do?
56+
### I suspect that my website is being hacked. What should I do?
5757

58-
Microsoft secures and [frequently updates the hosting environment and infrastructure](/azure/app-service/overview-patch-os-runtime). If the website has been hacked or defaced, it is usually due to an exploited vulnerability that is often caused by an outdated package.
58+
Microsoft secures and [frequently updates the hosting environment and infrastructure](/azure/app-service/overview-patch-os-runtime). If a website was hacked or defaced, this usually indicates an exploited vulnerability that's caused by an outdated app package.
5959

60-
Azure App Service does not block insecure apps from running. If the website is vulnerable, you must fix the vulnerabilities in the website code and redeploy it to Azure App Service.
60+
Azure App Service does not block insecure apps from running. If the website is vulnerable, you must fix the vulnerabilities in the website code, and then redeploy it to Azure App Service.
6161

62-
Azure support can assist with reviewing the web app's HTTP logs and deployment history to identify when the unknown file was first accessed or what suspicious patterns appear in the logs. We can also offer guidance for configuring security services like Web Application Firewall and Microsoft Defender for App Service. However, we cannot take direct action, as the permanent fix may involve implementing a Web Application Firewall or updating the existing codes.
62+
Azure support can help you review the web app's HTTP logs and deployment history to identify when the unknown file was first accessed or whether suspicious patterns appear in the logs. We can also offer guidance about how to configure security services such as Web Application Firewall and Microsoft Defender for App Service. However, we can't take direct action because the permanent fix might involve implementing a Web Application Firewall or updating the existing codes.
6363

64-
You can [restore a backup](/azure/app-service/manage-backup?tabs=portal#restore-a-backup) or redeploy the site, but this is not a long term fix if the security issue is not fixed.
64+
You can [restore a backup](/azure/app-service/manage-backup?tabs=portal#restore-a-backup) or redeploy the site, but this is not a long-term fix if the security issue is not resolved.
6565

66-
### My site has been added to the block list, what should I do?
66+
### My site has been added to the blocklist. What should I do?
6767

68-
If the IP address is frequently blocklisted, it's important to investigate the root cause. This may result from sending spam emails, hosting malicious content, or other security vulnerabilities that should be resolved.
68+
If the IP address is frequently blocklisted, it's important to investigate the root cause. The blockage might be caused by sending spam email messages, hosting malicious content, or other security vulnerabilities that should be resolved.
6969

70-
- **Inbound IP blocklisted**: To address an inbound IP blocklisting issue, request a [static inbound IP address](/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip) by securing your domain with IP-based SSL. Alternatively, you can use Azure services such as [Azure Application Gateway](/azure/application-gateway/overview) or [App Service Environment](/azure/app-service/environment/networking) (ASE) to gain a dedicated inbound IP address.
70+
- **Inbound IP blocklisted**: To address an inbound IP blocklisting issue, request a [static inbound IP address](/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip) by using an IP-based SSL to secure your domain. Alternatively, you can use Azure services such as [Azure Application Gateway](/azure/application-gateway/overview) or [App Service Environment](/azure/app-service/environment/networking) (ASE) to gain a dedicated inbound IP address.
7171

72-
- **Outbound IP blocklisted**: The only way to request dedicated outbound IP addresses is to use an App Service Environment. Apps running in Azure share outbound addresses from a common pool.
72+
- **Outbound IP blocklisted**: The only way to request dedicated outbound IP addresses is to use an App Service Environment. Apps that run in Azure share outbound addresses from a common pool.
7373
- You can deploy your app in a different (resource group + location) to host the application in a new scale unit. [Scaling your app between pricing tiers](/azure/app-service/manage-scale-up#scale-up-your-pricing-tier) will also trigger a change in outbound IP addresses.
7474
- Alternatively, use [Azure's NAT Gateway](/azure/vpn-gateway/vpn-gateway-about-vpngateways) to assign dedicated outbound IP addresses to your resources.
7575
- For more information, see [How to fix outbound IPs for App Service using NAT Gateway](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-fix-outbound-ips-for-app-service/2320612).
7676

77-
- **SMTP blocklisted**: The port 25 is mainly used for unauthenticated email delivery. Outbound connections from App Services to the public internet using port 25 are not restricted. However, using this design could result in outbound IP addresses being flagged as spam and blocklisted.
78-
- We recommend using authenticated SMTP relay services to send email or implementing App Service VNet Integration.
77+
- **SMTP blocklisted**: Port 25 is mainly used for unauthenticated email delivery. Outbound connections from App Services to the public internet by using port 25 are not restricted. However, using this design could result in outbound IP addresses being flagged as spam and, therefore, blocklisted.
78+
- We recommend that you use authenticated SMTP relay services to send email or implement App Service VNet Integration.
7979
- Alternatively, host the App Service in an [App Service Environment (ASE)](/azure/app-service/environment/networking) to route outbound SMTP connections over a private network.
8080
- For details, refer to [Troubleshoot outbound SMTP connectivity problems in Azure](/azure/virtual-network/troubleshoot-outbound-smtp-connectivity).
8181

82-
### Why am I receiving warnings or alerts for my web app in security scan reports
82+
### Why am I receiving warnings or alerts for my web app in security scan reports?
8383

84-
Security scans are typically run against a web app URL. Make sure that the tested URL resolves to the intended web app. If it resolves elsewhere, such as an application gateway that leads the inaccurate scan result.
84+
Security scans are typically run against a web app URL. Make sure that the tested URL resolves to the intended web app. If it resolves elsewhere, such as an application gateway, you can expect to receive inaccurate scan results.
8585

86-
Some scan results could be a false positive, or others could be a genuine security issues that may require a consult with Azure support. Certain changes are within your control such as networking or website configuration, other changes are only within Microsoft's control at the platform level.
86+
Some scan results could be false positives even as others indicate a genuine security issue that might require a consultation with Azure support. Certain changes are within your control, such as networking or website configuration, but other changes are within only Microsoft's control at the platform level.
8787

88-
Azure support can assist by reviewing the full scan results, research to confirm if the result is true, and provide security feature options to you.
88+
Azure support can assist you by reviewing the full scan results, confirming the results, and providing security feature options to you.

0 commit comments

Comments
 (0)