Overview of App Security

Region ID

The REGION_ID is an abbreviated code that Google assigns based on the region you select when you create your app. The code does not correspond to a country or province, even though some region IDs may appear similar to commonly used country and province codes. Including REGION_ID.r in App Engine URLs is optional for existing apps and will soon be required for all new apps.

To ensure a smooth transition, we are slowly updating App Engine to use region IDs. If we haven't updated your Google Cloud project yet, you won't see a region ID for your app. Since the ID is optional for existing apps, you don't need to update URLs or make other changes once the region ID is available for your existing apps.

Learn more about region IDs.

Security is a core feature of the Google Cloud, but there are still steps you should take to protect your App Engine app and identify vulnerabilities.

Use the following features to ensure that your App Engine app is secure. To learn more about the Google Security Model and the available steps that you can take to secure your Cloud projects, see Google Cloud Platform Security.

HTTPS requests

Use HTTPS requests to access to your App Engine app securely. Depending on how your app is configured, you have the following options:

appspot.com domains
  • Simply use the https URL prefix to send HTTPS request to the default service of your Cloud project, for example:
    https://PROJECT_ID.REGION_ID.r.appspot.com
  • To target specific resources in your App Engine app, you use the -dot- syntax to separate each resource you want to target, for example:
    https://VERSION_ID-dot-SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com

  • Tip: You convert an HTTP URL to HTTPS by simply replacing the periods between each resource with -dot-, for example:
    http://SERVICE_ID.PROJECT_ID.REGION_ID.r.appspot.com
    https://SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com

For more information about HTTPS URLs and targeting resources, see How Requests are Routed.

Custom domains

To send HTTPS requests with your custom domain, you can use the managed SSL certificates that are provisioned by App Engine. For more information, see Securing Custom Domains with SSL.

Access control

In each Cloud project, set up access control to determine who can access the services within the project, including App Engine. You can assign different roles to different accounts to ensure each account has only the permissions it needs to support your app. For details see, Setting Up Access Control.

App Engine firewall

The App Engine firewall enables you to control access to your App Engine app through a set of rules that can either allow or deny requests from the specified ranges of IP addresses. You are not billed for traffic or bandwidth that is blocked by the firewall. Create a firewall to:

Allow only traffic from within a specific network
Ensure that only a certain range of IP addresses from specific networks can access your app. For example, create rules to allow only the range of IP addresses from within your company's private network during your app's testing phase. You can then create and modify your firewall rules to control the scope of access throughout your release process, allowing only certain organizations, either within your company or externally, to access your app as it makes its way to public availability.
Allow only traffic from a specific service
Ensure that all the traffic to your App Engine app is first proxied through a specific service. For example, if you use a third-party Web Application Firewall (WAF) to proxy requests directed at your app, you can create firewall rules to deny all requests except those that are forwarded from your WAF.
Block abusive IP addresses
While Google Cloud has many mechanisms in place to prevent attacks, you can use the App Engine firewall to block traffic to your app from IP addresses that present malicious intent or shield your app from denial of service attacks and similar forms of abuse. You can blacklist IP addresses or subnetworks, so that requests routed from those addresses and subnetworks are denied before it reaches your App Engine app.

For details about creating rules and configuring your firewall, see Controlling App Access with Firewalls.

Ingress controls

By default, your App Engine app receives all HTTP requests that are sent to its appspot URL or to a custom domain that you have configured for your app. For apps in the flexible environment, this includes requests from the internet as well as requests from a Virtual Private Cloud network that you can create in your app's Google Cloud project. Apps in the standard environment do not receive requests from a Virtual Private Cloud (VPC).

You can use network ingress controls to restrict traffic so that your app only receives HTTP requests that are sent from one or both of the following:

  • Your project's VPC (applicable only to apps in the flexible environment). Restricting traffic to your VPC means that your app will receive requests that are sent from your private network, but not from the internet.

  • The Cloud Load Balancing load balancer. Restricting traffic to Cloud Load Balancing means that your app will receive requests that are routed through the load balancer, but not direct requests sent from the internet.

If you use Cloud Load Balancing with your App Engine app, we recommend that you use ingress controls so that your app only receives requests sent from the load balancer (and the VPC if you use it). Otherwise, users can use your app's App Engine URL to bypass the load balancer, Google Cloud Armor security policies, SSL certificates, and private keys that are passed through the load balancer.

To set up ingress controls, use the gcloud beta app services update command. If you haven't already installed the gcloud beta component, you will be prompted to install it when you run gcloud beta app services update.

For example:

  • Update the default service of an App Engine app to accept traffic only from the project's VPC and from Cloud Load Balancing:

    gcloud beta app services update --ingress internal-and-cloud-load-balancing
  • Update a service named "internal-requests" to accept traffic only from the project's VPC:

    gcloud beta app services update internal-requests --ingress internal-only
  • View the ingress settings and other information for the default service:

    gcloud beta app services describe
    

Security scanner

The Google Cloud Security Scanner discovers vulnerabilities by crawling your App Engine app, following all that links within the scope of your starting URLs, and attempting to exercise as many user inputs and event handlers as possible.

In order to use the security scanner, you must be an owner of the Cloud project. For more information on assigning roles, see Setting Up Access Control.

You can run security scans from the Google Cloud Console to identify security vulnerabilities in your App Engine app. For details about running the Security Scanner, see the Security Scanner Quickstart.