App Engine handlers should require TLS to ensure that traffic between clients and the application is encrypted in transit.
App Engine supports encryption in transit through TLS. By default, App Engine handlers accept both plain HTTP and encrypted HTTPS traffic. When
communication is not encrypted, an attacker with access to network traffic can intercept requests and responses, potentially reading or modifying
confidential information. This rule raises an issue when an App Engine handler is configured with a security_level that allows
unencrypted HTTP traffic, such as SECURE_NEVER, SECURE_OPTIONAL, or SECURE_DEFAULT.
If an App Engine handler does not require TLS, an attacker with access to the network can intercept unencrypted HTTP traffic. This can expose confidential data such as authentication tokens, personal information, or API keys transmitted in requests or responses.
Set the security_level to SECURE_ALWAYS to redirect all HTTP requests to HTTPS.
The following code is vulnerable because the App Engine handler uses SECURE_OPTIONAL, which allows both unencrypted HTTP and encrypted
HTTPS requests.
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_OPTIONAL" # Noncompliant
script {
script_path = "auto"
}
}
}
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_ALWAYS"
script {
script_path = "auto"
}
}
}