4.10 Ensure That App Engine Applications Enforce HTTPS Connections

Information

In order to maintain the highest level of security all connections to an application should be secure by default.

Rationale:

Insecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.

Impact:

All connections to appengine will automatically be redirected to the HTTPS endpoint ensuring that all connections are secured by TLS.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Add a line to the app.yaml file controlling the application which enforces secure connections. For example

handlers:
- url: /.*
 **secure: always**
 redirect_http_response_code: 301
 script: auto

[https://cloud.google.com/appengine/docs/standard/python3/config/appref]

Default Value:

By default both HTTP and HTTP are supported

See Also

https://workbench.cisecurity.org/files/3817

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SA-15, 800-53|SC-8, 800-53|SC-8(1), CSCv7|18.5

Plugin: GCP

Control ID: ad533ed2757fd77b49f6928cb2d2638c4e4caa062a18d53d51858feec09ce453