You are correct. *secure* handlers have been deprecated <https://cloud.google.com/appengine/docs/flexible/nodejs/upgrading#appyaml_changes> for the App Engine flexible environment. The current recommendation is to use the *Strict-Transport-Security <https://tools.ietf.org/html/rfc6797>* response header. Clients should then know to use HTTPS for future requests. I'd also recommend redirecting the initial request to HTTPS as well with a *302* or 301 to ensure no insecure content is sent.
Note that the Google Cloud Load Balancer terminates all HTTPS connection and forward traffic to your application over HTTP. The *X-Forwarded-Proto <https://cloud.google.com/appengine/docs/flexible/nodejs/how-requests-are-handled#x-forwarded-proto_http_https>* request header should be consulted to determine if the original request was over HTTP or HTTPS. It seems like the library you linked, koa-sslify, has an option to respect this header: *trustProtoHeader <https://github.com/turboMaCk/koa-sslify#available-options>*. I've not tested it myself but would be worth trying if using that middleware. On Tuesday, April 18, 2017 at 10:49:20 AM UTC-4, Sergey Shekyan wrote: > > Answer to myself: handlers are not supported in custom flex environment. > Using koa-sslify <https://github.com/turboMaCk/koa-sslify> solved my > problem. > > On Mon, Apr 17, 2017 at 10:41 PM, Sergey Shekyan <[email protected] > > wrote: > >> Cannot really figure out how redirect all HTTP traffic to HTTPS with 301 >> redirect. >> It is a node app with a Java dependency. >> >> In app.yaml added >> ``` >> >> handlers: >> >> - url: /.* >> >> script: ignored >> >> secure: always >> >> redirect_http_response_code: 301 >> >> ``` >> >> >> but nothing really changes. >> > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/0b160f8e-2549-4677-94f1-7ed3849a23a5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
