Ensure that all connections made to your Google App Engine applications are using HTTPS in order to protect against eavesdropping and data exposure. To enforce HTTPS connections at the App Engine application level, you have to configure your app's settings within the app.yaml configuration file. The app.yaml file acts as a deployment descriptor of a specific service version.
By default, the HTTPS protocol is not strictly enforced for Google App Engine applications. This means that your web application is be available over plain HTTP and any sensitive information is sent unencrypted over the network, where can be intercepted by a malicious actor performing a man-in-the-middle attack. To adhere to cloud security best practices, always configure your App Engine applications to enforce HTTPS for connections to and from your web apps.
Note: As example, this conformity rule demonstrates how to check for HTTPS enforcement and how to enable the HTTPS protocol for an App Engine application built with Node.js 10.
To determine if your Google App Engine applications are configured to use HTTPS connections, perform the following operations:Note: Verifying your Google App Engine applications for HTTPS enforcement using Command Line Interface (CLI) is not currently supported.
Remediation / Resolution
To enforce HTTPS connections for your Google App Engine applications, perform the following actions:Note: Enabling HTTPS for your Google App Engine applications using Command Line Interface (CLI) is not currently supported.
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enforce HTTPS Connections for App Engine Applications
Risk level: High