Important Updates for ArcGIS and HTTPS Only Enforcement

Important Updates for ArcGIS and HTTPS Only Enforcement
Summary

On December 8th, 2020, Esri enforced "HTTPS Only" and HSTS for ArcGIS Online and the World Geocoding Service. This important security update may affect some ArcGIS software and custom solutions. Esri has provided the following information and resources for customers who are affected by this change.

This shift from the original date of September 15th, 2020 was to ensure that all our customers had a six-month period for remediation and preparation before the change was enforced. However, the change to HTTPS Only was made on September 29th, 2020 for the World Geocode Service.

Also, due to the current Coronavirus pandemic, ArcGIS Online operation was raised to a heightened state and resources are being dedicated to critical issues related to the pandemic. All non-critical changes are on hold until further notice.

ArcGIS uses the HTTPS protocol as a key component of its security for web and service API connections. This includes connections between our software, such as ArcGIS Desktop and ArcGIS Enterprise, with ArcGIS Online.

NOTE

“HTTPS Only” has been a default configuration setting in ArcGIS Online since September 2018, so all new subscriptions since this time do not have the option to disable HTTPS. For ArcGIS Enterprise since version 10.4, while HTTPS ENABLED has been the default, HTTPS ONLY has been the default since version 10.7.   With ArcGIS Enterprise, users have the option of turning this capability off if desired.

What is HTTPS?

What is HSTS?

How is ArcGIS affected?

Am I affected by the switch to HTTPS Only?

What needs to be done?

What tools are available for the customer?

What is the support scope for the tools provided?

Will there be any patches released for ArcGIS Enterprise, ArcGIS Server, or Portal for ArcGIS to help with updating items that are HTTP to HTTPS?

How is the World Geocoding Service affected by HTTPS Only enforcement?

What do I need to know about ArcGIS Hub regarding enforcement of the HTTPS-Only Standard, update to HTML Rules, and legacy site shutoff?

Additional Resources