Why use “HTTPS Only” setting in ArcGIS Online?

2408
2
10-22-2015 10:06 AM
JoeFlannery
Regular Contributor II

In ArcGIS Online (AGOL) security settings, if “HTTPS Only” is enabled, most state and federal map services are not accessible to users.  On the other hand, if our ArcGIS Server is set to use SSL/HTTPS when delivering project map services to AGOL users, thus encrypting username and password information, what is the need to have “HTTPS Only” enabled on the AGOL side of this equation?

Thank you for your attention to my question.

0 Kudos
2 Replies
ChrisSmith7
Frequent Contributor

I'm not completely familiar with AGOL - we host ArcGIS Server within our enterprise and expose to the public - but setting to https only shouldn't prevent users from accessing services (unless https is not supported, that is, the service only allows http - this is bad practice) - they would just be accessing via https instead of http. On the other hand, piping in services over http may cause access issues, e.g. if the app is shown on a page with secured resources, the browser may block the http request because it would be serving mixed content. This is why, in our set-up, we only allow https.

0 Kudos
JoeFlannery
Regular Contributor II

Chris:

In AGOL, if "HTTPS Only" is unchecked in the Security settings, the users can consume both HTTP and HTTPS content when building their map.  It is my understanding that, depending on the end-user's browser type, "mixed content" could be a problem.  So, with my maps services being served from an HTTPS server and UN/PW protected, why enable "HTTPS Only" on the AGOL-side?  My services and passwords are protected enroute between my server and AGOL.  What I cannot have is government "HTTP Only" map services blocked from users if "HTTPS Only" is enabled for our AGOL site.  Users need those data to get their jobs done.

I agree with Michael Young's blog article "Sharing Web GIS Services? Always enable TLS" where he states "Ask operators of any HTTP only services to at least add HTTPS as an option.", but not all government agencies delivering "HTTP Only" data will change overnight and we need their information.