π Google App Engine Application HTTPS Connection is not enforced π’
- Contextual name: π Application HTTPS Connection is not enforced π’
- ID:
/ce/ca/google/app-engine/app-engine-application-https-connection - Located in: π Google App Engine
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Descriptionβ
Descriptionβ
In order to maintain the highest level of security all connections to an application should be secure by default.
Rationaleβ
Insecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.
Impactβ
All connections to appengine will automatically be redirected to the HTTPS endpoint ensuring that all connections are secured by TLS.
Auditβ
Verify that the app.yaml file controlling the application contains a line which enforces secure connections. For example
handlers:
- url: /.*
secure: always
redirect_http_response_code: 301
script: autohttps://cloud.google.com/appengine/docs/standard/python3/config/appref
Default Valueβ
By default both HTTP and HTTP are supported
Referencesβ
Remediationβ
Remediationβ
Add a line to the app.yaml file controlling the application which enforces secure connections. For example
handlers:
- url: /.*
**secure: always**
redirect_http_response_code: 301
script: autohttps://cloud.google.com/appengine/docs/standard/python3/config/appref
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 4.10 Ensure That App Engine Applications Enforce HTTPS Connections - Level 2 (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Encryption | 31 |