Answer
Note:
This is a living document, and the information on this page is updated regularly as we roll out this change.
What is HTTPS?
HTTPS, short for Hypertext Transfer Protocol for Secure communication, allows for the secure transmission of data, both incoming and outgoing, between a client, such as a web browser, and the server. There is improved performance when using HTTPS coupled with HTTP/2. HTTPS/2 is a major revision of the HTTP protocol. Content search ranking is improved as well with HTTPS, so for critical applications, HTTPS is strongly recommended. Since all data is encrypted, confidentiality is improved, and anyone monitoring the network traffic won’t be able to capture any sensitive information. Esri is enforcing HTTPS with HSTS to increase the security posture of ArcGIS.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security technology that secures HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of a man-in-the-middle attack in which an attacker redirects web browser from a correctly configured HTTPS webserver to a malicious server.
How is ArcGIS affected?
Esri made these changes in a phased approach. Esri customers must act to accommodate this change.
- Formerly, ArcGIS Online supported configuring HTTP or HTTPS. With the update of December 8, 2020, the “HTTPS Only” default has been enforced, and customers can no longer have the option of turning it off. However, for ArcGIS Enterprise, the customer has full control of the HTTPS/HSTS enforcement for their configuration.
- ArcGIS Hub has been updated to enforce the use of the HTTPS-only standard on all sites and pages, starting September 8th, 2020.
- Esri enforced HTTPS Only in the World Geocoding Service on September 29, 2020. This important security update is likely to affect some ArcGIS software and custom solutions.
Am I affected by the switch to HTTPS Only?
You will be affected when ArcGIS Online was switched to HTTPS Only if any of the following scenarios or workflows is true to your operations:
- Customer items already added to ArcGIS Online with HTTP Only URLs will be inaccessible. This includes all items added to ArcGIS Online that are hosted by the customer’s on-premise ArcGIS Enterprise server. Remember that no new items will be added via HTTP.
- Customers with map documents or packages (. mxd or. Aprx) that contain layers from ArcGIS Online that were added using plaintext (HTTP), will need to update the references to the layers.
- Customers with Python scripts for administration or backup of data in ArcGIS Online using HTTP URL references will no longer work. The scripts must be updated to use HTTPS URLs.
- Any items added to ArcGIS Online from links external to ArcGIS with HTTP only URLs will be inaccessible via a browser due to mixed-content conflicts. This includes:
- links in the item details
- popups, etc.
- Web services that are referred to via the ArcGIS Online sharing proxy will be unaffected.
Which items may use the ArcGIS Online sharing proxy?
- Adding or accessing secured layers or services from an ArcGIS Enterprise configuration to ArcGIS Online with stored credentials
- Accessing Cross-Domain resources (for example, servers that do not support CORS – typically 3rd-party OGC servers)
- Services queried using HTTP GET statements that exceed 2048 characters
If your organization is affected, you must take action for continued access to your resources. For example, you acquired your ArcGIS Online subscription prior to September 2018 AND your subscription is still set to allow both HTTP and HTTPS -The actions below provide more information about what to do next to eliminate downtime before the switch to HTTPS only.
- All customers need to review their organization’s settings to make sure HTTPS Only is enabled. For example, if you do not see the option to toggle between HTTPS Only and both HTTP/HTTPS, then your subscription already requires HTTPS.
- Customers must update all the items in their organization that are HTTP Only.
What tools are available for the customer?
- Native tools - these are tools that are built-in to ArcGIS Online or Enterprise
- Use the Layer Settings options available in each web map to update layer references to HTTPS, as shown in the following image.
By selecting Update Layers to HTTPS, the tool validates that the layers participating in the web map are accessible via HTTPS, and if so, updates the reference.
After selecting Update Layers, a list of layer references is returned, including those that cannot be upgraded to HTTPS, as shown below:
- The Update ArcGIS Server Site references tool is designed to allow for a change in the GIS Server’s FQDN but can be used to bulk update all references to the root FQDN to HTTPS. This tool also validates whether the remote server supports HTTPS.
Note:
Esri strongly recommends validating whether the remote server supports HTTPS before making this change.
- Non-native tools: These tools are provided by Esri’s Software Security and Privacy Team to assist with administration and validation of your ArcGIS Organization.
- The ArcGIS Security Advisor is a non-native tool created by the Esri Software Security & Privacy Team to help advise on ArcGIS security settings and review your logs:
- This tool works in both ArcGIS Online and ArcGIS Enterprise (Portal for ArcGIS) - Note: The HTTP check in this tool does not require administrative credentials for users with many of the items in your organization.
What is the support scope for the tools provided?
The ArcGIS Security Advisor is not supported via Esri Support Services. We strongly recommend reviewing the help information for these tools while work through the HTTP identification and remediation process. Esri Support Services will submit any bugs or enhancements in the tools to the Software Security team.
Tools native to ArcGIS Online are fully supported by Esri Support Services.
Will the option to "Allow access to the organization through HTTPS only" in ArcGIS Online settings, change all the existing layers on ArcGIS Online to HTTPS? Or must the the layers be updated manually?
The layers must be updated manually. See <document>:
Will there be any patches released for ArcGIS Enterprise, ArcGIS Server, or Portal for ArcGIS to help with updating items that are HTTP to HTTPS?
No, please use the available tools to help identify the items in your Enterprise configuration and then update the items. Also, refer to the additional resources provided below for assistance on how to update the layers in web maps to use HTTPS.
Additional Resources:
We also recommend that our customers to review the references in the Related Information section below as additional resources for updating HTTP content to HTTPS: