App Engine application does not enforce HTTPS Affecting App Engine service in Google

Severity Framework Snyk CCSS

Rule category Availability / Application

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00432
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

App Engine application does not enforce use of HTTPS protocol.

How to fix?

Set handlers.security_level attribute to SECURE_ALWAYS.

Example Configuration

resource "google_storage_bucket" "newappbuck1" {
  name     = "newappbuck1"
  location = "US"
}

resource "google_storage_bucket_object" "objectnewappbuck1" {
  name   = "hello-world432.zip"
  bucket = google_storage_bucket.newappbuck1.name
  source = "/home/sanjeev/terraform/hello-world.zip"
} 

resource "google_app_engine_standard_app_version" "myapp_v2" {
  version_id      = "v3"
  service         = "newappz"
  runtime         = "python311"
  app_engine_apis = true

  entrypoint {
    shell =  "gunicorn -b 80 main:app"
  }

  deployment {
    zip {
      source_url = "https://storage.googleapis.com/${google_storage_bucket.newappbuck1.name}/${google_storage_bucket_object.objectnewappbuck1.name}"
    }
  }
  handlers {
    security_level = "SECURE_ALWAYS"
    script {
      script_path = "auto"
    }
  }
}

Terraform

google_app_engine_standard_app_version

References

HTTPS requests