Enable HSTS redirects from HTTP/80 to HTTPS/443 in AGOL

2122
2
02-15-2018 12:00 PM
Status: Implemented
pfoppe
by MVP
MVP

Background:

An ArcGIS Online (AGOL) organization allows both HTTP (tcp port 80) and HTTPS (tcp port 443) access by default. To adequately protect data in transit it is recommended to force HTTPS (port 443) only.

References:

Furthermore, there is a United States government wide HTTPS only standard as mandated by the Office of Management and Budget (OMB) - https://https.cio.gov/

Bottom line - it is in the Esri Customers best interest to enable HTTPS on the AGOL organization.

The Problem:

Enabling HTTPS (tcp/443) only is challenging for Esri customers that have an existing AGOL organization that have HTTP(80) historically enabled. There are possibly hundreds and thousands of AGOL items that are referenced using HTTP (embedded in public web-sites, AGOL web-apps like story maps, etc). If HTTPS/443 is required (and HTTP/80 disabled) it could possibly break existing web-maps/apps/services that have historically been accessed (and linked/bookmarked) by HTTP. Manually assessing and and correcting these links is non-trivial. Many story-map type of applications have hard coded/embedded references to other story-maps/web-apps within HTML content that is configured with the story-map.

The Request:

1) If the ORG admin had the ability to enable HSTS secure redirects then any content in that organization that is referenced over HTTP would re-direct to HTTPS.

Alternativly, Esri could enable HSTS for ALL organizations (and possibly provide an admin setting to disable it if an org does not wish to have it enabled).

References:

2) Please also consider adding esri and AGOL domains to the HSTS preload list - https://https.cio.gov/hsts/#hsts-preloading

Other Considerations:

It is important to note that this will not resolve redirects for externally referenced links. For example... photos hosted in flikr or services with other organizations (or stand alone server environments) that have not enabled HSTS re-directs. Other than some sort of cludgy HTTPS proxy in front of those I dont have any great ideas to resolve that problem other than manually (or scripted) identification and correction on a case by case basis. I expect there will still be mixed content issues with this scenario (hopefully mostly passive)

References:

This request is specific to AGOL.  Customers using the Portal for ArcGIS product can control this with HTTP headers in their network appliances or HTTP servers.  However, It would be a best practice to enable this capability on portal the same way AGOL is enabled for consistency.  

On another note, TLS 1.0 is still enabled on the *.maps.arcgis.com domain. It is recommended to have TLS 1.0 disabled by JUNE 2018. This is important, however the crux of this idea is all about HTTPS re-directs.

References:

Thank you for the consideration. Please let us know if you need additional information.

2 Comments
ThomasColson

I may be naïve in assuming the most of AGOL users are gov users...so why is TLS 1.0 still on? Even better, a "shame" list of those orgs still publishing REST endpoints over http!

by Anonymous User

HTTPS only and HSTS were implemented with the ArcGIS Online site-wide HTTPS enforcement on December 8, 2020. This article and this video go over the changes in more depth. Thank you for the idea submission, and please let me know if I have missed an aspect of this idea that was not implemented. With the new Esri community guidelines, I would be happy to assist in creating a new idea to address it.