Information
In order to maintain the highest level of security all connections to an application should be secure by default.
Rationale:
Insecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.
Impact:
All connections to appengine will automatically be redirected to the HTTPS endpoint ensuring that all connections are secured by TLS.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Add a line to the app.yaml file controlling the application which enforces secure connections. For example
handlers:
- url: /.*
**secure: always**
redirect_http_response_code: 301
script: auto
[https://cloud.google.com/appengine/docs/standard/python3/config/appref]
Default Value:
By default both HTTP and HTTP are supported