As of December 2020, Esri will enforce HTTPS Only for all ArcGIS Online organizations. This important security update is likely to affect some ArcGIS software and custom solutions along with content in ArcGIS Online. You may have already received a few emails about this change, but if you still have any concerns about whether or not this transition will affect you, we’ve got you covered.
The ArcGIS Platform uses HTTPS (Hypertext Transfer Protocol for secure communication), as a key component of its security for web and service API connections. This includes connections between our software, such as ArcGIS Desktop and ArcGIS Enterprise, with ArcGIS Online. Esri will be enforcing HTTPS Only, without exception, in December 2020, to increase the security of the ArcGIS Platform.
Why is this change important?
Encrypting sensitive information is the primary reason to enforce the use of HTTPS. This encryption is important because the information you send over the Internet is usually passed between many computers before it gets to the destination server. HTTPS allows for the secure transmission of data, both incoming and outgoing, between a web browser and website. Because all data gets encrypted, anyone monitoring the traffic won’t be able to capture any sensitive information.
The use of HTTPS also protects against man-in-the-middle attacks, in which a malicious agent intercepts unsecured communication over a network and poses as the legitimate source of the communication to both the client and the server.
Okay, but does it affect me?
Customers affected by this change are those who currently use and host ArcGIS Online content, like services, images and documents that do not currently support HTTPS. URLs pointing to this ArcGIS Online content will stop working after the update if steps are not taken to make this transition.
Further to this, the change only affects customers who created their organization before September 2018 who have not already switched to HTTPS Only. This is because "HTTPS Only" has been the default configuration setting in ArcGIS Online since September 2018. All new subscriptions since this time do not have the option to disable HTTPS Only and are therefore not affected. With the update planned for December 2020, this “HTTPS Only” default will be enforced for all organizations.
If you’re using ArcGIS Enterprise, since version 10.7 the default setting has been HTTPS Only, creating a secure communication channel for web traffic, although users have the option of turning this capability off if desired. Users of ArcGIS Enterprise will continue to have full control of the HTTPS enforcement for their configuration.
I’m affected, how will it impact me?
After the update, those who use HTTP services or URLs in their ArcGIS Online items will no longer be able to load HTTP layers. An error message will be received indicating that the protocol is not supported. Please refer to the list of scenarios or workflows below to see how else you may be impacted by the change:
- You have both HTTP and HTTPS communication enabled in your ArcGIS Online organization.
- You own map documents or packages (.mxd or.aprx) that contain layers from ArcGIS Online that were added using plaintext (HTTP). You will need to update the references to the layers.
- You use python scripts which use HTTP URL’s to reference content in ArcGIS Online. These will no longer work and the scripts must be updated to use HTTPS URLs.
- You have registered HTTP Only URLs as items in ArcGIS.com, such as an image or ArcGIS Server service.
Are there customers who will not be affected by this change?
Yes. Customers who already have enabled “HTTPS Only” in their ArcGIS Online organization will not be impacted by this security update.
In addition, customers who have all their content (services, images, etc.) hosted in ArcGIS Online will not need to do anything to get ready for this security update. ArcGIS Online content will automatically transition to HTTPS communication with the update.
What actions should I take if I am affected?
We recommend that you consult the Important Updates for the ArcGIS Platform and HTTPS Only Enforcement Support page and follow the action plan outlined as soon as possible. This Support page will be updated as more information becomes available.
In addition to reviewing the Support page, we recommend switching your ArcGIS Online organization setting to “HTTPS Only” and testing content prior to December 2020, so there are no surprises. Moving forward, we recommend that when you add layers to maps or add layers as items in ArcGIS Online, you use HTTPS URLs.
To have continued access to your content, you will need to update all the items in your organization that are HTTP Only to HTTPS. As the owner or administrator of a web map or scene, you can update all layers in the map or scene to use HTTPS from the Settings tab of the map's or scene's item description page:
If a layer does not support HTTPS, you are notified and the layer is not updated. In this case, it is recommended to contact the owner of the layer, who can either configure the layer to support HTTPS or provide an alternative resource.
What tools are available to help?
There are plenty of resources available to help ease this transition. In addition to the resources linked at the end of this blog, you can use the ArcGIS Security Advisor to run an HTTP check. The ArcGIS Security Advisor offers a simple interface for ArcGIS Online administrators to review security settings and past changes to the ArcGIS Online organizations at a glance. The tool reports the current security state of your ArcGIS Online organization and provides remediation guidance for any potential findings discovered.
For ArcGIS Enterprise – The HTTP Checker python script (which is still under development) will be used. Keep an eye on the Support page for this becoming available.
Do you have questions not answered here?
We also recommend reviewing the information below as additional resources for updating HTTP content to HTTPS:
- How can I update layers in my web map or web scene to use HTTPS?
- How can I update layers in a web map that reference my ArcGIS Server layers?
- How can I change the data source URL protocol for my secure service with embedded credentials to HTTPS?
- How can I configure HTTPS on ArcGIS Server?
- How can I update my ArcMap portal connections?
- Secure ArcGIS Server communication
If you have more questions or would like clarification on anything discussed in these resources, don’t hesitate to leave a comment below or reach out to Esri Canada’s Technical Support team at firstname.lastname@example.org.
About the AuthorMore Content by Andrea Becker