How to enforce HTTPS traffic to Google App Engine with custom domain?

Have you tried setting secure: always in your handlers in your app.yaml?

handlers:
- url: /youraccount/.*
  script: accounts.app
  login: required
  secure: always

always

Requests for a URL that match this handler that do not use HTTPS are automatically redirected to the HTTPS URL with the same path. Query parameters are preserved for the redirect

https://cloud.google.com/appengine/docs/standard/python/config/appref#handlers_element

secure: always still works in all standard environments, but the secure option has been deprecated in all flexible environments, see documentation here or here for Node.js.

If you need this feature in your current environment, the suggested solutions require changes to your application code. Either use the custom HTTP header X-Forwarded-Proto to redirect the HTTP traffic to HTTPS, or use the HTTP Strict Transport Security response header.

Not sure what backend language you are using, but you can brute-force to ssl by checking the request header then redirecting. Example:

if request.environ.get('HTTPS') == 'off':
    return redirect('https://www.example.com' + request.environ.get('PATH_INFO'), 301)

How to enforce HTTPS traffic to Google App Engine with custom domain?

Tags:

Ssl

Google App Engine

Google Domains

Related

Recent Posts