Esri is planning to enforce HTTPS Only in the World Geocoding Service on September 29, 2020. This important security update is likely to affect some ArcGIS software and custom solutions. Esri customers must act now to be ready for this change.
HTTPS has always been an available URL for the World Geocoding Service since the service debuted in 2012. With the update planned for September 29, 2020, the HTTPS URL will be enforced as the only available endpoint, and customers will no longer have the option of submitting requests to the HTTP URL.
Note: This is in addition to the HTTPS Only enforcement that is planned in ArcGIS Online on December 8, 2020.
What does this change mean for our customers?
HTTPS, short for Hypertext Transfer Protocol for secure communication, allows for the secure transmission of data, both incoming and outgoing, between a client—such as a web browser—and the server. All data is encrypted, so anyone monitoring the traffic won’t be able to capture any sensitive information.
Currently, the World Geocoding Service supports communication over HTTPS (encrypted) and HTTP (not encrypted). After the update on September 29, 2020, World Geocoding Service will no longer communicate over HTTP. This change is being made to improve the security of web communication and to meet security requirements mandated by customers. This blog provides specific information about the United States government requirements to move to HTTPS Only.
What customers are affected by this change?
Customers affected by this change are those who currently use and host World Geocoding Service content, like services, images, and documents that do not support HTTPS.
Links (URLs) pointing to this World Geocoding Service content will stop working when contacted via HTTP after this change. The following are some user scenarios:
Are there customers who will not be affected by this change?
Yes. Customers who already use HTTPS Only communication in their geocoding service requests are not affected.
What is the impact to customers using any of the affected software?
Once HTTPS Only is enforced, customers who use HTTP communication in their World Geocoding Service requests will receive an error message. The error message indicates that the protocol is not supported.
What does Esri recommend that customers do?
Esri recommends that customers start using authentication and adding tokens to their service requests.
Customers should switch their application code and scripts to HTTPS communication, and test their service requests prior to September 29, 2020, so there are no surprises.
What needs to be done to switch to HTTPS communication?
Determine the origin of the service requests to the World Geocoding Service. This can be an application, a widget, a script, or your Enterprise installation.