GrabObject

Http to Https Migration AppEngine

This tutorial explains required steps for transitioning your website deployed on Appengine from http to https. Https is required not just for search engine or SEO perspective, but it is mainly required to secure your website and users data.

Maintaining https web site involves procuring SSL certificate and renewing it before it expires. So there is an effort and cost associated with https websites.

But for website deployed on Appengine, the cost is zero for now and effort is minimal for maintaining https websites, as it is easy to configure SSL using Google cloud console and SSL certificates are procured and renewed automatically for free for now.

AppEngine Http to Https Migration Steps

  • Configure SSL in Google cloud console for appengine app.
  • Change URLs to https version in the code.
  • Redirect http urls to https version.

Enable Https Appengine

To setup SSL for your website, first login to google cloud console. Then click app engine and setting in the left navigation, then in the custom domains tab, select custom domain for which you want SSL to be enabled and click Enable Managed Security button. This step will get SSL certificate and configure https for the selected domain.

budget smart phones OPPO A3s

Change URLs to https version in the code

In the code of your web application, change all URLs pointing to the domain to https version. If you follow coding best practice and domain is not hardcoded, this step will take less time.

Redirect http urls to https version

It is very important from SEO perspective that http requests are redirected to https version. To make app engine redirect http urls to https version, you need to add security constraint in web.xml file and set transport guarantee as confidential.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>webapp</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
  </security-constraint>

HSTS

To prevent man in the middle attacks, browser can be asked to use only https for a website by adding http Strict-Transport-Security header in the response. The header can be added to response in the code. For example, to add the header in Java, you need to add the following line to common header jsp file.

<% response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");%>

Browsers get Strict-Transport-Security header only after making one request. Even with Strict-Transport-Security header, there is a possibility for the first request to a secure website to be http.

To prevent this, you need to add your domain to HSTS Preload list so that browsers will use it and never send http request to your website.