FAQ: What do I need to know about HTTPS Only and the ArcGIS Platform?
What do I need to know about HTTPS Only and the ArcGIS Platform?
Note: This page will be updated as more information becomes available.
What is HTTPS?
HTTPS, short for Hypertext Transfer Protocol for Secure communication, allows for the secure transmission of data, both incoming and outgoing, between a client, such as a web browser, and the server. There is improved performance when using HTTPS coupled with HTTP/2. HTTPS/2 is a major revision of the HTTP protocol. Content search ranking is improved as well with HTTPS, so for critical applications, HTTPS is strongly recommended. Since all data is encrypted, confidentiality is improved, and anyone monitoring the network traffic won’t be able to capture any sensitive information. Esri is enforcing HTTPS with HSTS to increase the security posture of the ArcGIS Platform.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security technology that secures HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of a man-in-the-middle attack in which an attacker redirects web browser from a correctly configured HTTPS webserver to a malicious server.
How is the ArcGIS Platform affected?
Currently, ArcGIS Online supports configuring HTTP or HTTPS. However, with the update planned for December 8, 2020, the “HTTPS Only” default will be enforced, and customers will no longer have the option of turning it off. However, for ArcGIS Enterprise the customer has full control of the HTTPS/HSTS enforcement for their configuration.
Am I affected by the switch to HTTPS Only?
You will be affected when ArcGIS Online is switched to HTTPS Only if any of the following scenarios or workflows is true to your operations:
- Items that only support HTTP (and not HTTPS) that are added as items and do not use the ArcGIS Online sharing will be inaccessible. This includes all items from the customer’s ArcGIS Enterprise configuration.
- Customers with map documents or packages (. mxd or. Aprx) that contain layers from ArcGIS Online that were added using plaintext (HTTP), will need to update the references to the layers.
- Customers with Python scripts for administration or backup of data in ArcGIS Online using HTTP URL references will no longer work. The scripts must be updated to use HTTPS URLs.
- Items referred to in external links that support only HTTP will be inaccessible via a browser due to mixed-content conflicts.
- Web services that are referred to via the ArcGIS Online sharing proxy will be unaffected.
Which items may use the ArcGIS Online sharing proxy?
- Accessing secured layers added to ArcGIS Online with stored credentials
- Accessing Cross-Domain resources (for example, servers that do not support CORS – typically 3rd-party OGC servers)
- Services queried using HTTP GET statements that exceed 2048 characters
What needs to be done?
If your organization is affected, you must take action for continued access to your resources. For example, you acquired your ArcGIS Online subscription prior to September 2018 AND your subscription is still set to allow both HTTP and HTTPS -The actions below provide more information about what to do next to eliminate downtime before the switch to HTTPS only.
- All customers need to review their organization’s settings to make sure HTTPS Only is enabled. For example, if you do not see the option to toggle between HTTPS Only and both HTTP/HTTPS, then your subscription already requires HTTPS.
- Customers must update all the items in their organization that are HTTP Only.
What tools are available for the customer?
- Native tools
- Use the Layer Settings options available in each web map to update layer references to HTTPS, as shown in the following image.
By selecting Update Layers to HTTPS, the tool validates that the layers participating in the web map are accessible via HTTPS, and if so, updates the reference.
After selecting Update Layers, a list of layer references is returned, including those that cannot be upgraded to HTTPS, as shown below:
- The Update ArcGIS Server Site References tool is designed to allow for a change in the GIS Server’s FQDN but can be used to bulk update all references to the root FQDN to HTTPS. This tool does not validate if the remote server supports HTTPS – be sure to validate whether the remote server supports HTTPS before making this change.
- Non-native tools: These tools are provided by Esri’s Software Security and Privacy Team to assist with administration and validation of your ArcGIS Organization.
- Use the ArcGIS Security Advisor. This requires administrative privileges to the organization, and is only available for ArcGIS Online.
What is the support scope for the tools provided?
The ArcGIS Security Advisor is not supported via Esri Support Services. We strongly recommend reviewing the help information for these tools while work through the HTTP identification and remediation process. Esri Support Services will escalate any potential issues in the tools to the Software Security team.
Tools native to ArcGIS Online are fully supported by Esri Support Services.
Will there be any patches released for ArcGIS Enterprise, ArcGIS Server, or Portal for ArcGIS to help with updating items that are HTTP to HTTPS?
No, please use the available tools to help identify the items in your Enterprise configuration and then update the items. Also, refer to the additional resources provided below for assistance on how to update the layers in web maps to use HTTPS.
We also recommend that our customers to review the references in the Related Information section below as additional resources for updating HTTP content to HTTPS:
- How can I update layers in my web map or web scene to use HTTPS?
- How can I update layers in a web map that reference my ArcGIS Server layers?
- How can I change the data source URL protocol for my secure service with embedded credentials to HTTPS?
- How can I configure HTTPS on ArcGIS Server?
- How can I update my ArcMap portal connections?
- ArcGIS Trust Center