Unsecured request by the taskqueue
56 views
Skip to first unread message
JohnGB
Mar 3, 2016, 10:53:36 AM3/3/16
to Google App Engine
It seems that the calls from the push taskqueue are made using an unsecured HTTP, and not a HTTPS connection. Given that sensitive information is often passed on the taskqueue, is it possible to change this?
Nick (Cloud Platform Support)
Mar 3, 2016, 2:53:43 PM3/3/16
to Google App Engine
Hey John,
Given that the HTTP requests for push queues exist only within our secured infrastructure and aren't exposed to anything but the endpoint which receives them, there's no need to worry about eavesdropping attacks which motivate the existence of SSL and HTTPS. When it comes to using the Task Queues REST API, this is protected by HTTPS and OAuth2.0, so again there should be no cause for concern.
If you'd like, for any reason, to suggest a feature request on the platform, feel free to lodge these in the App Engine Public Issue Tracker or the Cloud Platform Public Issue Tracker. Those issue trackers are triaged regularly and you should see a response relatively quickly.
Best wishes,
Nick
Cloud Platform Community Support
Given that the HTTP requests for push queues exist only within our secured infrastructure and aren't exposed to anything but the endpoint which receives them, there's no need to worry about eavesdropping attacks which motivate the existence of SSL and HTTPS. When it comes to using the Task Queues REST API, this is protected by HTTPS and OAuth2.0, so again there should be no cause for concern.
If you'd like, for any reason, to suggest a feature request on the platform, feel free to lodge these in the App Engine Public Issue Tracker or the Cloud Platform Public Issue Tracker. Those issue trackers are triaged regularly and you should see a response relatively quickly.
Best wishes,
Nick
Cloud Platform Community Support
Nick (Cloud Platform Support)
Mar 3, 2016, 2:55:46 PM3/3/16
to Google App Engine
Although, there is the question of securing the endpoint against user requests from outside the Task Queues infrastructure. In that case, a small section in the documentation explains how to protect the endpoint with "login: admin" in app.yaml when deploying.
On Thursday, March 3, 2016 at 10:53:36 AM UTC-5, JohnGB wrote:
JohnGB
Mar 3, 2016, 4:25:59 PM3/3/16
to Google App Engine
Thanks for the info Nick.
Part of the pain with this is that I have middleware which forces secure connections. To have an exception for this, I will have to change to having per route middleware, which is quite frankly ugly code wise. But it seems like that is the only option open here. I'll likely lodge an issue on that link.
~ John
Nick (Cloud Platform Support)
Mar 4, 2016, 3:13:51 PM3/4/16
to Google App Engine
Hey John,
Ah, that makes sense. Yep, feel free to file a Feature Request explaining your entire situation and we can see what we can do about it!
Ah, that makes sense. Yep, feel free to file a Feature Request explaining your entire situation and we can see what we can do about it!
Reply all
Reply to author
Forward
0 new messages