How is the World Geocoding Service affected by HTTPS Only enforcement?

Answer

Esri is planning to enforce HTTPS Only in the World Geocoding Service on September 29, 2020. This important security update is likely to affect some ArcGIS software and custom solutions. Esri customers must act now to be ready for this change.

HTTPS has always been an available URL for the World Geocoding Service since the service debuted in 2012. With the update planned for September 29, 2020, the HTTPS URL will be enforced as the only available endpoint, and customers will no longer have the option of submitting requests to the HTTP URL.

Note: 
This is in addition to the HTTPS Only enforcement that is planned in ArcGIS Online on December 8, 2020.

What does this change mean for our customers?
HTTPS, short for Hypertext Transfer Protocol for secure communication, allows for the secure transmission of data, both incoming and outgoing, between a client—such as a web browser—and the server. All data is encrypted, so anyone monitoring the traffic won’t be able to capture any sensitive information. 
Currently, the World Geocoding Service supports communication over HTTPS (encrypted) and HTTP (not encrypted). After the update on September 29, 2020, World Geocoding Service will no longer communicate over HTTP. This change is being made to improve the security of web communication and to meet security requirements mandated by customers. This blog provides specific information about the United States government requirements to move to HTTPS Only.

What customers are affected by this change?
Customers affected by this change are those who currently use and host World Geocoding Service content, like services, images, and documents that do not support HTTPS.
Links (URLs) pointing to this World Geocoding Service content will stop working when contacted via HTTP after this change. The following are some user scenarios:

• Users who have both HTTP and HTTPS communication enabled for their geocoding service requests via proxy services in Server and Enterprise
• Users who have applications built that use HTTP communication for the geocoding service requests
• Users who have scripts written that use HTTP communication for the geocoding service requests
• Users who have widgets built with hard coded services URLs with HTTP Only

Are there customers who will not be affected by this change?
Yes. Customers who already use HTTPS Only communication in their geocoding service requests are not affected.

What is the impact to customers using any of the affected software?
Once HTTPS Only is enforced, customers who use HTTP communication in their World Geocoding Service requests will receive an error message. The error message indicates that the protocol is not supported.

What does Esri recommend that customers do?
Esri recommends that customers start using authentication and adding tokens to their service requests. 
Customers should switch their application code and scripts to HTTPS communication, and test their service requests prior to September 29, 2020, so there are no surprises.

What needs to be done to switch to HTTPS communication?

Determine the origin of the service requests to the World Geocoding Service. This can be an application, a widget, a script, or your Enterprise installation.

1. Find the source code for the application or widget, or the primary copy of the script, and search for HTTP.
2. Locate the URL used in the request to the World Geocoding service and replace the HTTP version with the HTTPS version:
   • From: http://geocode.arcgis.com/arcgis/rest/services/World/GeocodeServer
   • To: https://geocode.arcgis.com/arcgis/rest/services/World/GeocodeServer

• Enterprise users will open the utility services and configure the Geocoding service(s) to use the HTTPS version of the URL. 
• Consider authenticating the requests with ArcGIS Online credentials or make use of a token. See the article: Authenticate a request to the World Geocoding Service