Skip to main content

πŸ›‘οΈ Google App Engine Application HTTPS Connection is not enforced🟒βšͺ

  • Contextual name: πŸ›‘οΈ Application HTTPS Connection is not enforced🟒βšͺ
  • ID: /ce/ca/google/app-engine/app-engine-application-https-connection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Similar Policies​

Description​

Open File

Description​

To maintain the highest level of security, all connections to an application should be secure by default.

Rationale​

Insecure HTTP connections may be subject to eavesdropping, which can expose sensitive data.

Impact​

All connections to App Engine will automatically be redirected to the HTTPS endpoint, ensuring that all connections are secured by TLS.

Audit​

Verify that the app.yaml file controlling the application contains a line that enforces secure connections. For example:

handlers: 
- url: /.* 
secure: always 
redirect_http_response_code: 301 
script: auto

https://cloud.google.com/appengine/docs/standard/python3/config/appref

Default Value​

By default, both HTTP and HTTPS are supported.

References​

  1. https://cloud.google.com/appengine/docs/standard/python3/config/appref
  2. https://cloud.google.com/appengine/docs/flexible/nodejs/configuring-your-app-with-app-yaml

Remediation​

Open File

Remediation​

Add a line to the app.yaml file controlling the application that enforces secure connections. For example:

handlers: 
- url: /.* 
**secure: always** 
redirect_http_response_code: 301 
script: auto

https://cloud.google.com/appengine/docs/standard/python3/config/appref

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 4.10 Ensure that App Engine applications enforce HTTPS connections - Level 2 (Manual _ Not supported, requires a manual assessment)1no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 4.10 Ensure That App Engine Applications Enforce HTTPS Connections - Level 2 (Manual)1no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 4.10 Ensure That App Engine Applications Enforce HTTPS Connections - Level 2 (Manual)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 4.10 Ensure That App Engine Applications Enforce HTTPS Connections - Level 2 (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption70no data