touchups

Author: v-thepet

articles/app-service/overview-security.md

@@ -3,7 +3,7 @@ title: Security in Azure App Service
 description: Learn about how Azure App Service helps secure your app, and how you can help protect your app from security threats.
 keywords: azure app service, web app, mobile app, api app, function app, security, secure, secured, compliance, compliant, certificate, certificates, https, ftps, tls, trust, encryption, encrypt, encrypted, ip restriction, authentication, authorization, authn, autho, msi, managed service identity, managed identity, secrets, secret, patching, patch, patches, version, isolation, network isolation, ddos, mitm
 ms.topic: overview
-ms.date: 07/02/2025
+ms.date: 07/03/2025
 ms.update-cycle: 1095-days
 ms.custom: UpdateFrequency3
 author: cephalin
@@ -20,7 +20,7 @@ The following sections describe more ways to help protect your App Service app f
 
 ## HTTPS and certificates
 
-You can use App Service to secure your apps through [HTTPS](https://wikipedia.org/wiki/HTTPS). When your app is created, its default domain name `<app_name>.azurewebsites.net` is already accessible via HTTPS. If you [configure a custom domain for your app](app-service-web-tutorial-custom-domain.md), help [secure it with a TLS/SSL certificate](configure-ssl-bindings.md) so that client browsers can make secure HTTPS connections to your custom domain.
+You can use App Service to secure your apps through [HTTPS](https://wikipedia.org/wiki/HTTPS). When your app is created, its default domain name `<app_name>.azurewebsites.net` is already accessible via HTTPS. If you [configure a custom domain for your app](app-service-web-tutorial-custom-domain.md), help [secure it with a TLS/SSL certificate](configure-ssl-bindings.md) so client browsers can make secure HTTPS connections to your custom domain.
 
 App Service supports the following types of certificates:
 
@@ -41,7 +41,7 @@ Azure App Service supports the following [Transport Layer Security (TLS)](https:
 - TLS 1.2: The default minimum TLS version for new web apps.
 - TLS 1.1 and TLS 1.0: Versions supported for backward compatibility, but not considered secure by industry standards such as the [Payment Card Industry Data Security Standard (PCI DSS)](https://wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard).
 
-You can configure the minimum TLS version for incoming requests to your web app and its Source Control Manager (SCM) site. By default, the minimum is set to **TLS 1.2**. To enforce different TLS versions, see [Configure general settings](configure-common.md#configure-general-settings).
+You can configure the minimum TLS version for incoming requests to your web app and its Source Control Manager (SCM) site. By default, the minimum is set to **TLS 1.2**. To allow different TLS versions, see [Configure general settings](configure-common.md#configure-general-settings).
 
 App Service supports both FTP and FTPS for deploying app files. New apps are set to accept only FTPS by default. To increase security, use FTPS instead of FTP if possible. If you aren't using FTP/S, you should [disable it](deploy-ftp.md#enforce-ftps). For more information, see [Deploy your app to Azure App Service using FTP/S](deploy-ftp.md).
 
@@ -63,7 +63,7 @@ App Service authentication and authorization support multiple authentication pro
 
 When you authenticate against a back-end service, App Service provides two mechanisms depending on your needs:
 
-- **Service identity** signs in to the remote resource by using the identity of the app itself. In App Service, you can create a [managed identity](overview-managed-identity.md) that other services, such as [Azure SQL Database](/azure/sql-database/) or [Azure Key Vault](/azure/key-vault/), can use to authenticate. For an end-to-end tutorial, see [Secure an Azure SQL Database connection from App Service by using a managed identity](tutorial-connect-msi-sql-database.md).
+- **Service identity** signs in to the remote resource by using the identity of the app itself. In App Service, you can create a [managed identity](overview-managed-identity.md) that other services, such as [Azure SQL Database](/azure/sql-database/) or [Azure Key Vault](/azure/key-vault/), can use to authenticate. For an end-to-end tutorial, see [Use managed identity to connect an Azure web app to an Azure SQL database without secrets](tutorial-connect-msi-sql-database.md).
 
 - **On behalf of (OBO) authentication** delegates access to remote resources on behalf of the user. With Microsoft Entra ID as the authentication provider, your App Service app can perform delegated sign-in to a remote service such as [Microsoft Graph](/graph/overview) or to a remote App Service API app. For an end-to-end tutorial, see [Authenticate and authorize users end to end in Azure App Service](tutorial-auth-aad.md).
 
@@ -87,14 +87,15 @@ To isolate your resource connectivity completely from the shared networks in Azu
 
 ### On-premises resources
 
-You can securely access on-premises resources like databases in the following ways:
+You can securely access on-premises resources such as databases in the following ways:
 
 - A [hybrid connection](app-service-hybrid-connections.md) establishes a point-to-point connection to your remote resource through a Transmission Control Protocol (TCP) tunnel that uses TLS 1.2 with shared access signature keys.
-- [Virtual network integration](overview-vnet-integration.md) or [App Service Environment](environment/intro.md) with site-to-site VPN connect as described in [Resources inside an Azure virtual network](#resources-inside-an-azure-virtual-network), but connect the virtual network to the on-premises network through a [site-to-site VPN](/azure/vpn-gateway/tutorial-site-to-site-portal). In this network topology, your app can connect to on-premises resources the same way it connects to other resources in the virtual network.
+
+- [Virtual network integration](overview-vnet-integration.md) with a site-to-site VPN or [App Service Environment](environment/intro.md) with a site-to-site VPN. These methods connect the app's virtual network to the on-premises network as described in [Resources inside an Azure virtual network](#resources-inside-an-azure-virtual-network), but the virtual network connects to the on-premises network through a [site-to-site VPN](/azure/vpn-gateway/tutorial-site-to-site-portal). In these network topologies, your app can connect to on-premises resources the same way it connects to other resources in its virtual network.
 
 ## Application secrets
 
-Don't store application secrets like database credentials, API tokens, and private keys in code or configuration files, but access them as [environment variables](https://wikipedia.org/wiki/Environment_variable) using the standard pattern for your code language. In App Service, you define environment variables through [app settings](configure-common.md#configure-app-settings) and, especially for .NET applications, through [connection strings](configure-common.md#configure-connection-strings).
+Don't store application secrets like database credentials, API tokens, and private keys in code or configuration files. Access them as [environment variables](https://wikipedia.org/wiki/Environment_variable) using the standard pattern for your code language. In App Service, you define environment variables through [app settings](configure-common.md#configure-app-settings) and, especially for .NET applications, through [connection strings](configure-common.md#configure-connection-strings).
 
 App settings and connection strings are stored encrypted in Azure and are decrypted just before they're injected into your app's process memory when the app starts. The encryption keys are rotated regularly.
 
@@ -107,7 +108,7 @@ All App Service pricing tiers run your apps on the Azure shared network infrastr
 The Isolated tier provides complete network isolation by running your apps inside a dedicated [App Service Environment](environment/intro.md) in your own instance of [Azure Virtual Network](/azure/virtual-network/index). By using network isolation, you can:
 
 - Serve your apps through a dedicated public endpoint with dedicated front ends.
-- Serve internal application by using an internal load balancer (ILB) that allows access only from inside your Azure virtual network. The ILB has an IP address from your private subnet, which provides total isolation of your apps from the internet.
+- Serve internal apps by using an internal load balancer (ILB) that allows access only from inside your Azure virtual network. The ILB has an IP address from your private subnet, which provides total isolation of your apps from the internet.
 - [Use an ILB behind a web application firewall (WAF)](environment/integrate-with-application-gateway.md). The WAF offers enterprise-level URI filtering, protection from distributed denial-of-service (DDoS) attacks, and SQL injection prevention for your public-facing applications.
 
 ## DDoS protection

includes/app-service-security-intro.md

@@ -2,12 +2,12 @@
 author: cephalin
 ms.service: azure-app-service
 ms.topic: include
-ms.date: 07/02/2025
+ms.date: 07/03/2025
 ms.author: cephalin
 ---
 Azure App Service actively secures and hardens its platform components, including Azure virtual machines (VMs), storage, network connections, web frameworks, and management and integration features. App Service undergoes continuous, rigorous compliance checks to ensure that:
 
-- [Apps are segregated from other Azure apps and resources](https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox).
+- [Each app is segregated from other Azure apps and resources](https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox).
 - [Regular updates of VMs and runtime software](/azure/app-service/overview-patch-os-runtime) address newly discovered vulnerabilities.
 - Communication of secrets and connection strings between apps and other Azure resources like [Azure SQL Database](https://azure.microsoft.com/services/sql-database/) occurs only within Azure, without crossing any network boundaries. Stored secrets are always encrypted.
 - All communications over App Service connectivity features like [Hybrid Connection](/azure/app-service/app-service-hybrid-connections) are encrypted.