Enforce HTTPS Connections for App Engine Applications

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Ensure that all connections made to your Google App Engine applications are using HTTPS in order to protect against eavesdropping and data exposure. To enforce HTTPS connections at the App Engine application level, you have to configure your app's settings within the app.yaml configuration file. The app.yaml file acts as a deployment descriptor of a specific service version.

Security

By default, the HTTPS protocol is not strictly enforced for Google App Engine applications. This means that your web application is be available over plain HTTP and any sensitive information is sent unencrypted over the network, where can be intercepted by a malicious actor performing a man-in-the-middle attack. To adhere to cloud security best practices, always configure your App Engine applications to enforce HTTPS for connections to and from your web apps.

Note: As example, this conformity rule demonstrates how to check for HTTPS enforcement and how to enable the HTTPS protocol for an App Engine application built with Node.js 10.


Audit

To determine if your Google App Engine applications are configured to use HTTPS connections, perform the following operations:

Note: Verifying your Google App Engine applications for HTTPS enforcement using Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that contains the App Engine application that you want to examine, from the console top navigation bar. A GCP project contains your App Engine application as well as other Google Cloud resources.

03 Navigate to Google App Engine application settings dashboard at https://console.cloud.google.com/appengine/settings.

04 Select the Application settings tab and click on the domain (link) of the selected App Engine application, available under Default Cloud Storage Bucket, to access the storage bucket that holds the application files.

05 Select the Objects tab and search for the app.yaml configuration file created for your App Engine application. The app.yaml file contains information about your application's code, the runtime details, and the environment variables.

06 Click on the name of the app.yaml file, then click DOWNLOAD to save the configuration file to your computer.

07 Open the app.yaml file using a text editor. For example, the following app.yaml contains the configuration elements of a Node.js 10 application:

runtime: nodejs10

instance_class: F2

env_variables:
  BUCKET_NAME: "cloudconformity-app"

handlers:
- url: /stylesheets
  static_dir: stylesheets

- url: /.*
  secure: never
  redirect_http_response_code: 301
  script: auto

Search the file controlling your application for a handler element named secure, configured for the entire domain (i.e. url: /.*), which enforces secure connections. If the secure element is not provided for the handler or the secure element is defined but its value is not set to always, the selected Google App Engine application is not configured to enforce HTTPS connections.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

Remediation / Resolution

To enforce HTTPS connections for your Google App Engine applications, perform the following actions:

Note: Enabling HTTPS for your Google App Engine applications using Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that contains the App Engine application that you want to reconfigure, from the console top navigation bar.

03 Navigate to Google App Engine application settings dashboard at https://console.cloud.google.com/appengine/settings.

04 Select the Application settings tab and click on the domain (link) of the selected App Engine application, available under Default Cloud Storage Bucket, to access the storage bucket that contains the application files.

05 Select the Objects tab and search for the app.yaml configuration file created for your App Engine application. The app.yaml file contains information about your application's code, the runtime details, and the environment variables.

06 Click on the name of the app.yaml file, then click DOWNLOAD to save the configuration file to your computer.

07 Open the app.yaml file defined for the selected application and set the secure element value to always for the entire domain (i.e. url: /.*), as shown in the example below. The secure: always configuration element will enforces secure connections for the selected Google App Engine application:

runtime: nodejs10

instance_class: F2

env_variables:
  BUCKET_NAME: "cloudconformity-app"

handlers:
- url: /stylesheets
  static_dir: stylesheets

- url: /.*
  secure: always
  redirect_http_response_code: 301
  script: auto

08 Repeat steps no. 2 – 7 for each GCP project available within your Google Cloud account.

References

Publication date Apr 12, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enforce HTTPS Connections for App Engine Applications

Risk level: High