Google’s App Engine is a Platform as a Service (PaaS) for developers that provides features and frameworks to quickly and easily build scalable web applications. Developers can create applications and deploy them to the App Engine. When a web application is created using the App Engine, the application is assigned a unique project ID. Developers can create a custom project ID or they can choose a default generated project id. The URL to access the application will follow the form “<project-id> ”For a subdomain of appspot.com. For example, if the project ID is demo12, then the URL will be https://ga-dev-tools.demo12.appspot.com/ . However, employing this sort of domain name can create multiple security issues:
- A phishing attack could use a similar-looking web application and domain name. For example, an attacker could create the malicious application demo13.appspot.com, which is similar to the legitimate name demo12.appspot.com. Because the application is assigned to a subdomain of appspot.com, the name of the malicious application looks very convincing and hard to differentiate from the original name.
- If the DNS record for *.appspot.com is entered by mistake or through DNS cache poisoning, then the application will be adversely affected.
- The domain is assigned a wildcard certificate, which creates more headaches for the developers because they need to ensure the path and domain of cookies are properly constrained.
- The certificate is controlled by Google. Thus for any certificate-related errors—such as expiration, strong or weak signing algorithms, trusted or untrusted certificate signing authorities, or certificates not self-signed—the application will be dependent on Google. Because the certificate is a wild card, extended validation of certificates cannot be enforced, though this is recommended for financial applications.
Apart from security issues, most organizations want their customers to see a custom domain name instead a subdomain of appspot.com. Thus it is necessary to have a custom domain. One can get a domain name from a domain name registrar and then use it with the App Engine or buy one from within the Google portal.
Follow these steps to add a custom domain name for your application:
- Log in to the Google Cloud Platform Console.
- Navigate to “App Engine” and “Settings” as shown in the following screenshot or enter https://console.cloud.google.com/appengine/settings/domains in the address bar. Click on the “Custom Domains” tab and then on “Add a custom domain.” If you do not yet have a custom domain name, buy one from a domain name registrar or click on “Register a new domain” to buy one from Google.
- Select “Verify a new domain” from and enter your custom domain name as shown in the following screenshot. Click on “Verify” and follow the steps to prove that you own that custom domain.
- The domain name is now verified and should be updated under the “Custom Domains” tab. If not, click on “Refresh domains.”
- Select the application for which to you want to associate this custom domain name and click “Submit mappings.”
- Note the DNS records displayed. Go to your domain registrar website and update your DNS configuration with the noted DNS records. It can take some time for the changes to propagate, depending on your DNS provider.
- Confirm access to the application using the custom domain name.
Reference
This blog post was written by Piyush Mittal.