Security is a core feature of the Google Cloud, but there are still steps you should take to protect your App Engine app and identify vulnerabilities.
Use the following features to ensure that your App Engine app is secure. To learn more about the Google Security Model and the available steps that you can take to secure your Cloud projects, see Google Cloud Platform Security.
HTTPS requests
Use HTTPS requests to access to your App Engine app securely. Depending on how your app is configured, you have the following options:appspot.com domains
- Simply use the
httpsURL prefix to send HTTPS request to thedefaultservice of your Cloud project, for example:https://PROJECT_ID.REGION_ID.r.appspot.com
- To target specific resources in your App Engine app, you use the
-dot-syntax to separate each resource you want to target, for example:https://VERSION_ID-dot-SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com - Tip: You convert an HTTP URL to HTTPS by simply replacing the periods between each resource with
-dot-, for example:http://SERVICE_ID.PROJECT_ID.REGION_ID.r.appspot.comhttps://SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com
For more information about HTTPS URLs and targeting resources, see How Requests are Routed.Custom domains
To send HTTPS requests with your custom domain, you can use the managed SSL certificates that are provisioned by App Engine. For more information, see Securing Custom Domains with SSL.App handlers
To force HTTPS for your app’s handlers, you can specify the secure: always element for each handler in your app.yaml, for example: