When you configure an Azure App Service for TLS mutual authentication, the App Service front-end terminates the TLS connection and validates the client certificate. If the certificate is valid, the App Service forwards the certificate to your application code for further validation (e.g., checking the issuer or thumbprint).

The certificate is passed along within the HTTP request in a specific header named X-ARR-ClientCert. Since HTTP headers are text-based, the binary X.509 certificate is Base64 encoded to be safely transmitted as a header value. Your application code must then read this header and decode the Base64 string to access the certificate data.

Microsoft Corporation. (2023). Configure TLS mutual authentication for Azure App Service. Microsoft Learn. In the section "Access the client certificate," it states, "App Service forwards the client certificate as a base64-encoded string in the X-ARR-ClientCert request header." This directly confirms both selections.

Shein, E. (2018). Implementing and Auditing the Secure Sockets Layer Protocol. In The Common Body of Knowledge for Information Security Professionals (p. 238). Auerbach Publications. DOI: https://doi.org/10.1201/9780429466384. This book describes the general architecture where a front-end server or proxy handles the SSL/TLS handshake and can pass client certificate details to a back-end application, often via custom HTTP headers.

Fielding, R., & Reschke, J. (2014). Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, Section 3.2. Internet Engineering Task Force (IETF). This standard defines the syntax for HTTP message headers, which consist of a case-insensitive field name followed by a colon and field value. It establishes the text-based nature of headers, necessitating the encoding of binary data like certificates.