Google App Engine: Secure Connections (https)
GAE accepts both http and https connections from appspot.com URLs
Default HTTPS Support
-
HTTPS by default: When you deploy an app on Google App Engine, it automatically provides an HTTPS URL in the format https://<your-project-id>.appspot.com. This means your app benefits from secure, encrypted communication by default, without requiring any extra configuration.
-
SSL/TLS certificates: Google App Engine automatically manages SSL/TLS certificates for the appspot.com domain, ensuring that the HTTPS connection is secure and up to date.
HTTP
-
When users access the appspot.com URL via HTTP (e.g., http://<your-project-id>.appspot.com), the server handles the request and serves the app content without encryption.
HTTP to HTTPS Redirection
-
App Engine still allows access to the app using the HTTP protocol (e.g., http://<your-project-id>.appspot.com), but it encourages users to use HTTPS for security. For production apps, it is common practice to redirect all HTTP traffic to HTTPS to ensure secure communication.
-
You can implement this redirection in your app’s code, depending on your runtime environment, or by configuring a URL mapping in the app's app.yaml file to force HTTP requests to redirect to HTTPS. See YAML reference.
handlers: - url: /.* script: auto secure: always # Forces redirection to HTTPS
Custom Domains with HTTPS
-
If you're using a custom domain (e.g., www.yourdomain.com), Google App Engine supports HTTPS on custom domains as well. Google automatically provisions SSL certificates for your custom domains if you manage your DNS settings through Google Cloud.
-
You can also bring your own SSL certificate if you prefer to manage SSL certificates yourself.