lacework-global-307
4.10 Ensure That App Engine Applications Enforce HTTPS Connections (Manual)
Profile Applicability
• Level 2
Description
In order to maintain the highest level of security all connections to an application should be secure by default.
Rationale
Insecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.
Impact
All connections to appengine will automatically be redirected to the HTTPS endpoint ensuring that all connections are secured by TLS.
Audit
Verify that the app.yaml file controlling the application contains a line which enforces secure connections. For example
handlers:
- url: /.*
secure: always
redirect_http_response_code: 301
script: auto
https://cloud.google.com/appengine/docs/standard/python3/config/appref
Remediation
Add a line to the app.yaml file controlling the application which enforces secure connections. For example
handlers:
- url: /.*
**secure: always**
redirect_http_response_code: 301
script: auto
[https://cloud.google.com/appengine/docs/standard/python3/config/appref]
References
https://cloud.google.com/appengine/docs/standard/python3/config/appref
https://cloud.google.com/appengine/docs/flexible/nodejs/configuring-your-app-with-app-yaml