Important Updates for the ArcGIS Platform and HTTPS Only Enforcement

Important Updates for the ArcGIS Platform and HTTPS Only Enforcement

Esri is planning to enforce "HTTPS Only" and HSTS for ArcGIS Online and the World Geocoding Service. This important security update is likely to affect some ArcGIS software and custom solutions. Esri customers will need to act now to be ready for this change now coming December 8th, 2020.

This shift from the original date of September 15th, 2020 is to ensure that all our customers have a six month period for remediation and preparation before the change is enforced. However, the change to HTTPS Only will be made September 29th, 2020 for the World Geocode Service.

Also, due to the current Coronavirus pandemic, ArcGIS Online operation was raised to a heightened state and resources are being dedicated to critical issues related to the pandemic. All non-critical changes to the solution are on hold until further notice.

The ArcGIS Platform uses the HTTPS protocol as a key component of its security for web and service API connections. This includes connections between our software, such as ArcGIS Desktop and ArcGIS Enterprise, with ArcGIS Online.


“HTTPS Only” has been a default configuration setting in ArcGIS Online since September 2018, so all new subscriptions since this time do not have the option to disable HTTPS. For ArcGIS Enterprise since version 10.4, while HTTPS ENABLED has been the default, HTTPS ONLY has been the default since version 10.7.   With ArcGIS Enterprise, users have the option of turning this capability off if desired.

What is HTTPS?

What is HSTS?

How is the ArcGIS Platform affected?

Am I affected by the switch to HTTPS Only?

What needs to be done?

What tools are available for the customer?

What is the support scope for the tools provided?

Will there be any patches released for ArcGIS Enterprise, ArcGIS Server, or Portal for ArcGIS to help with updating items that are HTTP to HTTPS?

How is the World Geocoding Service affected by HTTPS Only enforcement?

What do I need to know about ArcGIS Hub regarding enforcement of the HTTPS-Only Standard, update to HTML Rules, and legacy site shutoff?

Additional Resources