App Engine supports encryption in transit through TLS. As soon as the app is deployed, it can be requested using `appspot.com` domains or custom domains. By default, endpoints accept both clear-text and encrypted traffic. When communication isn't encrypted, there is a risk that an attacker could intercept it and read confidential information. When creating an App Engine, request handlers can be set with different security level for encryption: * `SECURE_NEVER`: only HTTP requests are allowed (HTTPS requests are redirected to HTTP). * `SECURE_OPTIONAL` and `SECURE_DEFAULT`: both HTTP and HTTPS requests are allowed. * `SECURE_ALWAYS`: only HTTPS requests are allowed (HTTP requests are redirected to HTTPS). == Ask Yourself Whether * The handler serves confidential data in HTTP responses. There is a risk if you answered yes to this question. == Recommended Secure Coding Practices It's recommended for App Engine handlers to require TLS for all traffic. It can be achieved by setting the security level to `SECURE_ALWAYS`. == Sensitive Code Example `SECURE_DEFAULT`, `SECURE_NEVER` and `SECURE_OPTIONAL` are sensitive TLS security level: [source,terraform] ---- resource "google_app_engine_standard_app_version" "example" { version_id = "v1" service = "default" runtime = "nodejs" handlers { url_regex = ".*" redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301" security_level = "SECURE_OPTIONAL" # Sensitive script { script_path = "auto" } } } ---- == Compliant Solution Force the use of TLS for the handler by setting the security level on `SECURE_ALWAYS`: [source,terraform] ---- resource "google_app_engine_standard_app_version" "example" { version_id = "v1" service = "default" runtime = "nodejs" handlers { url_regex = ".*" redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301" security_level = "SECURE_ALWAYS" script { script_path = "auto" } } } ---- == See * CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] * CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] * https://cloud.google.com/appengine/docs/standard/nodejs/application-security[GCP Documentation] - Overview of App Security ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Make sure creating a App Engine handler without requiring TLS is safe here. endif::env-github,rspecator-view[]