Use helmet, secure setting under handlers in app.yaml is depricated in the Google App Engine Latest Release.
https://helmetjs.github.io/docs/hsts/
https://expressjs.com/en/advanced/best-practice-security.html
// Forcing HTTPS connections on Gooogle App Engine Flexible Environment sample app.js
'use strict';
const express = require('express');
const helmet = require('helmet');
const app = express();
const port = process.env.PORT || 8080;
app.disable('x-powered-by');
app.enable('trust proxy');
app.use(helmet.hsts({
maxAge: 31536000,
includeSubDomains: true,
preload: true,
setIf: function (req, res) {
return req.secure;
}
}));
app.get('/', (req, res) => {
if (!req.secure) {
res.redirect(301, "https://" + req.headers.host + req.originalUrl);
}
res.status(200).send("hello, world\n").end();
});
app.listen(port, () => {
console.log(`App listening on port ${port}`);
console.log('Press Ctrl+C to quit.');
});
Upgrading to the App Engine Latest Release
The secure setting under handlers is now deprecated for the App Engine flexible environment. If you need SSL redirection, you can update your application code and use the X-Forwarded-Proto header to redirect http traffic.
https://cloud.google.com/appengine/docs/flexible/php/upgrading#appyaml_changes
Forcing HTTPS connections
For security reasons, all applications should encourage clients to connect over https. You can use the Strict-Transport-Security header to instruct the browser to prefer https over http for a given page or an entire domain, for example:
Strict-Transport-Security: max-age=31536000; includeSubDomains
https://cloud.google.com/appengine/docs/flexible/php/how-requests-are-handled
HTTPS and forwarding proxies
With Express.js, use the trust proxy setting
app.set('trust proxy', true);
https://cloud.google.com/appengine/docs/flexible/nodejs/runtime#https_and_forwarding_proxies
Noneis the problem. Try fixing your code so you can add a script there. – GAEfan