google-app-engine
Adding HSTS headers in app.yaml (Google App Engine)
I have the following handlers section in my app.yaml: handlers: - url: /(robots\.txt|sitemap\.xml) static_files: \1 upload: (robots\.txt|sitemap\.xml) secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' - url: /.* script: main.app secure: always http_headers: Strict-Transport-Security: 'max-age=63072000; includeSubDomains; preload' and another subdomain, served by the another submodule (static.yaml) has the following: handlers: - url: / static_dir: files secure: always http_headers: Access-Control-Allow-Origin: '*' Strict-Transport-Security: 'max-age=63072000; preload' I was able to deploy static.yaml without any issues to the appengine: $ appcfg.py update static.yaml 12:48 PM Host: appengine.google.com 12:48 PM Application: XXXXXX; module: static; version: 1 12:48 PM Starting update of app: XXXXXXXX, module: static, version: 1 12:48 PM Getting current resource limits. 12:48 PM Scanning files on local disk. [...] [...] 12:49 PM Checking if updated app version is serving. 12:49 PM Completed update of app: XXXXXX, module: static, version: 1 whereas, when I try to update the app.yaml configuration, I get: $ appcfg.py update app.yaml 12:48 PM Host: appengine.google.com Usage: appcfg.py [options] update <directory> | [file, ...] appcfg.py: error: Error parsing .\app.yaml: Unexpected attribute "http_headers" for mapping type script. in ".\app.yaml", line 31, column 1. I understand that it means I'd have to handle HSTS configuration in my python script itself. But, I have ~10 handlers in the main.app interface. Instead of updating each of those to add the STS header, is there some alternative to do so at app.yaml level itself? Checking the app.yaml reference on GAE, there is no mention of restriction of http_header directive in script type mapping.
I was looking over http headers in app.yaml today and saw this. It appears to be related to your issue. In addition, the header Strict-Transport-Security is removed from responses served from any domains other than *.appspot.com. https://cloud.google.com/appengine/docs/python/how-requests-are-handled#Python_Responses
Related Links
App Engine - How to create project in region us-central
Google App Engine redirecting all naked domain requests, causing letsencrypt to not work
CA/Root/SSL Certificates in Go - Too Old?
Can't access to my Google Cloud's App from http://localhost:8080
Connecting to Google Cloud SQL from External Applications
Automatic redirection google app engine
Realtime datastore in google datastore
Can someone help me add a new column in Google cloud Search Index using Java
Unable to get serving url from GCS in another project
How can I filter self out of an Ancestor query on recursive entities
Verifying a domain for Google App Engine
Go, Appengine, SMTP, Gmail
Google app engine cron job scheduling setup and pricing
Google Appengine Datastore filter and sort direction together
Does exist API Google to grab Google Play?
Migrating existing news website (built with php and mysql) to google cloud platform