App Engine supports encryption in transit through TLS. As soon as the app is deployed, it can be requested using appspot.com domains
or custom domains. By default, endpoints accept both clear-text and encrypted traffic. When communication isn’t encrypted, there is a risk that an
attacker could intercept it and read confidential information.
When creating an App Engine, request handlers can be set with different security level for encryption:
SECURE_NEVER: only HTTP requests are allowed (HTTPS requests are redirected to HTTP). SECURE_OPTIONAL and SECURE_DEFAULT: both HTTP and HTTPS requests are allowed. SECURE_ALWAYS: only HTTPS requests are allowed (HTTP requests are redirected to HTTPS). There is a risk if you answered yes to this question.
It’s recommended for App Engine handlers to require TLS for all traffic. It can be achieved by setting the security level to
SECURE_ALWAYS.
SECURE_DEFAULT, SECURE_NEVER and SECURE_OPTIONAL are sensitive TLS security level:
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_OPTIONAL" # Sensitive
script {
script_path = "auto"
}
}
}
Force the use of TLS for the handler by setting the security level on SECURE_ALWAYS:
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_ALWAYS"
script {
script_path = "auto"
}
}
}