ArcGIS Blog

Administration

ArcGIS Online

Prepare for Next Major ArcGIS Online Security Advancement Now

By Michael Young

While all ArcGIS Online organizations established after September 2018 only allow HTTPS communication (encrypted), we still have many pre-existing organizations who have chosen not to utilize HTTPS only for their web services.  If your ArcGIS Online organization is already utilizing HTTPS and you don’t have any external systems making requests to HTTP-based services, then this change will be a non-event for you.

For customers who do not yet enforce HTTPS, please begin preparing now for when ArcGIS Online enforces HTTPS Only for all organizations with the December 2020 release.  This change is being made to improve ArcGIS Online web security communication and to meet security requirements mandated by customers, such as site-wide enforcement of HTTP Strict Transport Security (HSTS).

Transitioning to HTTPS Only can be a significant task for customers who share services with only HTTP support and for customers who have built web maps and apps with references to HTTP services, both from within ArcGIS Online and external to it (such as an older ArcGIS Server instance that is configured to only communicate via HTTP).  To help ease this effort, we will be releasing an updated version of the ArcGIS Online Security Advisor next week that includes a check for HTTP references in a customer’s ArcGIS Online deployment.  To use the tool, just have your ArcGIS Online organization administrator go to our ArcGIS Trust Center @ https://Trust.ArcGIS.com and click the “Launch Security Advisor” button on the upper right of the page.  You will be able to see if your organization is currently enforcing HTTPS, and if not, the new HTTP Checker will allow you to instantly view HTTP references within your organization so you can quickly correct them.

A Python tool will be released in 2020 that can be utilized against both ArcGIS Online and ArcGIS Enterprise for discovering HTTP references that should be corrected to HTTPS.

Expect to hear much more about this change over the next several months – We will be talking more about this effort and briefly demonstrate the updated Security Advisor tool at the User Conference next week as part of the “ArcGIS Online: An Introduction to Security, Privacy, and Compliance” presentation.


– Esri Software Security & Privacy

Share this article