Skip to main content

lacework-global-307

4.10 Ensure That App Engine Applications Enforce HTTPS Connections (Manual)

Profile Applicability

• Level 2

Description

In order to maintain the highest level of security all connections to an application should be secure by default.

Rationale

Insecure HTTP connections maybe subject to eavesdropping which can expose sensitive data.

Impact

All connections to appengine will automatically be redirected to the HTTPS endpoint ensuring that all connections are secured by TLS.

Audit

Verify that the app.yaml file controlling the application contains a line which enforces secure connections. For example

handlers:
- url: /.*
secure: always
redirect_http_response_code: 301
script: auto

https://cloud.google.com/appengine/docs/standard/python3/config/appref

Remediation

Add a line to the app.yaml file controlling the application which enforces secure connections. For example

handlers:
- url: /.*
**secure: always**
redirect_http_response_code: 301
script: auto

[https://cloud.google.com/appengine/docs/standard/python3/config/appref]

References

https://cloud.google.com/appengine/docs/standard/python3/config/appref
https://cloud.google.com/appengine/docs/flexible/nodejs/configuring-your-app-with-app-yaml