Best Practices

This page describes best practices for using Cloud Identity-Aware Proxy (Cloud IAP).

Caching

  • Don't use a third-party CDN in front of your application. CDNs may cache content and serve cached pages to unauthentiated users.
    • If you have large, non-sensitive resources that you want to serve from a CDN, use a separate domain such as images.yourapp.com for these resources. Use the CDN with that domain and add the Cache-control: private HTTP response header to all objects that should only be served to authenticated users.
  • The App Engine standard environment may serve data out of cache.
    • By default, dynamic content generated by your app is set as non-cacheable. Your app can override this by setting a Cache-Control header in its HTTP responses. Only override the setting for non-sensitive content that should be available to unauthenticated users.
    • By default, App Engine caches static content such as images for up to 10 minutes. If you have sensitive static content, you should override this by setting the default expiration time to 0. Following are links to information about how to set the default expiration time for specific languages:

Securing your app

To properly secure your app, you must use signed headers for App Engine flexible environment, Compute Engine, and Container Engine applications. Signed headers aren't supported for App Engine standard environment applications. Instead, those applications should use the approach described in Getting the User's Identity. Read about how to secure your app with signed headers.

Configuring your firewall

  • Make sure all requests to Compute Engine or Container Engine are routed through the load balancer:
    • Configure a firewall rule to allow health checking and make sure that all traffic to your Virtual Machine (VM) is from a Google Front End (GFE) IP.
    • For additional protection, check the source IP of requests in your app to make sure they're from the same IP range that the firewall rule allows.
  • In Cloud Console, Cloud IAP displays an error or warning if your firewall rules appear to be set up incorrectly. The Cloud IAP Cloud Console doesn't detect which VM is used for each service, so the firewall analysis doesn't include advanced features like non-default networks and firewall rule tags. To bypass this analysis, enable Cloud IAP through the gcloud beta compute backend-services update command.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Identity-Aware Proxy Documentation