4.10 Ensure That App Engine Applications Enforce HTTPS Connections

Information

In order to maintain the highest level of security all connections to an application should be secure by default.

Rationale:

Insecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.

Impact:

All connections to appengine will automatically be redirected to the HTTPS endpoint ensuring that all connections are secured by TLS.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Add a line to the app.yaml file controlling the application which enforces secure connections. For example

handlers:
- url: /.*
**secure: always**
redirect_http_response_code: 301
script: auto

[https://cloud.google.com/appengine/docs/standard/python3/config/appref]

Default Value:

By default both HTTP and HTTP are supported

See Also

https://workbench.cisecurity.org/benchmarks/11843

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SA-15, 800-53|SC-8, 800-53|SC-8(1), CSCv7|18.5

Plugin: GCP

Control ID: dd7930943ea5b96a447ff6fc74d879bfaa3c882204239c1711ca6c1746afe0ae