4.10 Ensure that App Engine applications enforce HTTPS connections

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In order to maintain the highest level of security all connections to an application should be secure by default.

Rationale:

Insecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.

Impact:

All connections to appengine will automatically be redirected to the HTTPS endpoint ensuring that all connections are secured by TLS.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Add a line to the app.yaml file controlling the application which enforces secure connections. For example

handlers:
- url: /.*
**secure: always**
redirect_http_response_code: 301
script: auto

[https://cloud.google.com/appengine/docs/standard/python3/config/appref]

Default Value:

By default both HTTP and HTTP are supported

See Also

https://workbench.cisecurity.org/files/3316