Skip to Content

Secure your App Engine deployment by default

Posted on One min read

For your web app, a best practice is to make sure all requests are handled via HTTPS by default. This can easily be configured for all URLs in the deployment file:

Runtime Deployment file
Python, Go, PHP app.yaml
Java web.xml

HTTP → HTTPS redirection for Python/Go/PHP

app.yaml

secure: always
redirect_http_response_code: 301
  • The first line upgrades all HTTP requests to HTTPS with a 302 redirection.
  • The second line makes it a permanent 301 redirection (cacheable by the browser and SEO friendly).

Example for a static site

  ...
  handlers:

  - url: /
    static_files: www/index.html
    upload: www/index.html
    secure: always
    redirect_http_response_code: 301

  - url: /
    static_dir: www
    secure: always
    redirect_http_response_code: 301

HTTP → HTTPS redirection for Java

web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>HTTPS redirect</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
  • This upgrades all HTTP requests to HTTPS with a 302 redirection.
  • When using @WebServlet annotations, web.xml is optional and might need to be created.

More info

Note

This is a straightforward way to secure your web app but there are other more advanced best practices like HSTS. Room for additional tips?

comments powered by Disqus