App Engine supports encryption in transit through TLS. As soon as the app is deployed, it can be requested using appspot.com domains
or custom domains. By default, endpoints accept both clear-text and encrypted traffic. When communication isn’t encrypted, there is a risk that an
attacker could intercept it and read confidential information.
When creating an App Engine, request handlers can be set with different security level for encryption:
-
SECURE_NEVER: only HTTP requests are allowed (HTTPS requests are redirected to HTTP).
-
SECURE_OPTIONAL and SECURE_DEFAULT: both HTTP and HTTPS requests are allowed.
-
SECURE_ALWAYS: only HTTPS requests are allowed (HTTP requests are redirected to HTTPS).
Ask Yourself Whether
- The handler serves confidential data in HTTP responses.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
It’s recommended for App Engine handlers to require TLS for all traffic. It can be achieved by setting the security level to
SECURE_ALWAYS.
Sensitive Code Example
SECURE_DEFAULT, SECURE_NEVER and SECURE_OPTIONAL are sensitive TLS security level:
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_OPTIONAL" # Sensitive
script {
script_path = "auto"
}
}
}
Compliant Solution
Force the use of TLS for the handler by setting the security level on SECURE_ALWAYS:
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_ALWAYS"
script {
script_path = "auto"
}
}
}
See
