Important Updates for the ArcGIS Platform and HTTPS Only Enforcement
Esri is planning to enforce "HTTPS Only" and HSTS for ArcGIS Online and the World Geocoding Service. This important security update is likely to affect some ArcGIS software and custom solutions. Esri customers will need to act now to be ready for this change now coming December 8th, 2020.
This shift from the original date of September 15th, 2020 is to ensure that all our customers have a six month period for remediation and preparation before the change is enforced. However, the change to HTTPS Only will be made September 29th, 2020 for the World Geocode Service.
Also, due to the current Coronavirus pandemic, ArcGIS Online operation was raised to a heightened state and resources are being dedicated to critical issues related to the pandemic. All non-critical changes to the solution are on hold until further notice.
The ArcGIS Platform uses the HTTPS protocol as a key component of its security for web and service API connections. This includes connections between our software, such as ArcGIS Desktop and ArcGIS Enterprise, with ArcGIS Online.
“HTTPS Only” has been a default configuration setting in ArcGIS Online since September 2018, so all new subscriptions since this time do not have the option to disable HTTPS. For ArcGIS Enterprise since version 10.4, while HTTPS ENABLED has been the default, HTTPS ONLY has been the default since version 10.7. With ArcGIS Enterprise, users have the option of turning this capability off if desired.