What Is HTTPS?
HTTPS is short for Hypertext Transfer Protocol for secure communication. This protocol allows a secure transmission of incoming and outgoing data between a client, such as a web browser, and the server. Content search ranking is also improved with HTTPS, so the use of HTTPS is strongly recommended for critical applications.
How Is The ArcGIS Platform Affected?
ArcGIS Online currently supports HTTP or HTTPS configuration. However, with the update scheduled for December 8, 2020, the default setting “HTTPS only” will apply and customers will no longer have the ability to disable it.
Does The Switch To HTTPS Only Affect Me?
Switching from ArcGIS Online to HTTPS will only affect you when any of the following scenarios or workflows apply to your operations.
- Items that only support HTTP (and not HTTPS), are added as items, and do not use ArcGIS Online sharing, will not be accessible. This includes all items in the client’s ArcGIS Enterprise configuration.
- Clients with Python scripts for data management or backup in ArcGIS Online that use HTTP URL references will stop working.
- Items referenced in external links that support HTTP only will not be accessible through the browser due to mixed content conflicts.
This will not affect web services referenced through the ArcGIS Online sharing proxy.
What Items Can Use The ArcGIS Online Sharing Proxy?
Access to protected layers added to ArcGIS Online with stored credentials
Access to resources from different domains (for example, servers that do not support CORS, usually third-party OGC servers)
Services that are queried using GET HTTP statements longer than 2048 characters
What Is There To Do?
For example, you purchased your ArcGIS Online subscription before September 2020 AND this subscription is still configured to allow HTTP and HTTPS.
What Is The Scope Of Compatibility Of The Tools Provided?
ArcGIS Security Monitor is not supported through Esri Support Services. We recommend reviewing the help information related to these tools when working through the HTTP identification and resolution process. Esri Support Services will escalate any potential issues with the tools to the software security team.
Obtain And Decide The Type Of Security Certificate You Need
To enable the necessary security protocol on a website, you must first obtain a security certificate issued by a certification authority that is in charge of verifying that this site belongs to you. To configure the certificate you must have a high level of security with a key with 2048 bits .
To choose a certificate for a site, the owner must decide what type is needed and choose from a trusted certificate authority that can offer technical assistance.
Certificates can be unique for a single safe origin, wildcard for a safe origin with different dynamic subdomains, or a certificate for multiple domains from known safe origins.
Use Server 301 Redirects
The website should redirect search engines and users to the https resource with an http 301 redirect from the server.
Do Not Block Or use no-index meta tags for your https pages
Do not include ‘noindex’ meta tags on https pages and do not block https pages using ‘robots.txt‘ files.
To verify that the Google robot can access the pages of a company, it can be verified with the ‘ explore as Google ‘ tool .
Enable The HSTS Security Mechanism
The https websites must be compatible with the strict transport security of https, HSTS. This instructs browsers to automatically request https pages. It is also indicated by this security mechanism to Google to show secure URLs in search results in order to offer users protected content.
You need to enable HSTS features and have a web server that supports this mechanism. To enable it, a series of steps must be followed :
- The https protocol must be implemented on all pages without the HSTS mechanism.
- HSTS headers with a short duration parameter, ‘max age‘, must be sent, monitor user traffic and know the performance of certain elements such as advertisements.
- The ‘max age’ parameter should be progressively increased.
Most browsers use an HSTS preload list where a website should be included if it does not harm users or search engines.