App Engine application does not enforce HTTPS Affecting App Engine service in Google
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Availability/ Application
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-ControlsCIS-GoogleCSA-CCMGDPRHIPAAISO-27001NIST-800-53PCI-DSSSOC-2
- Snyk IDSNYK-CC-00432
- creditSnyk Research Team
Description
App Engine application does not enforce use of HTTPS protocol.
How to fix?
Set handlers.security_level attribute to SECURE_ALWAYS.
Example Configuration
resource "google_storage_bucket" "newappbuck1" {
name = "newappbuck1"
location = "US"
}
resource "google_storage_bucket_object" "objectnewappbuck1" {
name = "hello-world432.zip"
bucket = google_storage_bucket.newappbuck1.name
source = "/home/sanjeev/terraform/hello-world.zip"
}
resource "google_app_engine_standard_app_version" "myapp_v2" {
version_id = "v3"
service = "newappz"
runtime = "python311"
app_engine_apis = true
entrypoint {
shell = "gunicorn -b 80 main:app"
}
deployment {
zip {
source_url = "https://storage.googleapis.com/${google_storage_bucket.newappbuck1.name}/${google_storage_bucket_object.objectnewappbuck1.name}"
}
}
handlers {
security_level = "SECURE_ALWAYS"
script {
script_path = "auto"
}
}
}