Important Updates for ArcGIS and HTTPS Only Enforcement
On December 8th, 2020, Esri enforced "HTTPS Only" and HSTS for ArcGIS Online and the World Geocoding Service. This important security update may affect some ArcGIS software and custom solutions. Esri has provided the following information and resources for customers who are affected by this change.
This shift from the original date of September 15th, 2020 was to ensure that all our customers had a six-month period for remediation and preparation before the change was enforced. However, the change to HTTPS Only was made on September 29th, 2020 for the World Geocode Service.
Also, due to the current Coronavirus pandemic, ArcGIS Online operation was raised to a heightened state and resources are being dedicated to critical issues related to the pandemic. All non-critical changes are on hold until further notice.
ArcGIS uses the HTTPS protocol as a key component of its security for web and service API connections. This includes connections between our software, such as ArcGIS Desktop and ArcGIS Enterprise, with ArcGIS Online.
“HTTPS Only” has been a default configuration setting in ArcGIS Online since September 2018, so all new subscriptions since this time do not have the option to disable HTTPS. For ArcGIS Enterprise since version 10.4, while HTTPS ENABLED has been the default, HTTPS ONLY has been the default since version 10.7. With ArcGIS Enterprise, users have the option of turning this capability off if desired.