Is it possible to install/access SSL for my Google App Engine app?

Question

Since App Engine is so locked down I assume there is no way to setup an SSL certificate to allow credit card payments. In the absence of this, how is it possible to secure handle payments in an App Engine app?

Answer 1

http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs says that

 <ssl-enabled>true</ssl-enabled>

can be set in your appengine-web.xml file with *.appspot.com subdommains. Google had a typo in their opening tag on that page, just FYI. For Google Apps you can't use HTTPS at all, but for appspot you can.

As far as using your own cert, you can't! For appspot, Google's cert is not signed for your web-app's specific domain so it will cause a browser pop-up, but if accepted the page will load.

Answer 2

As of today, App Engine supports SSL on your own domain. See: https://developers.google.com/appengine/docs/ssl

Note that there are two options. The more expensive (VIP - $99 per month) will work with all browsers, whereas the cheaper (SNI - $9 per month) doesn't work on some variations. See here: http://en.wikipedia.org/wiki/Server_Name_Indication#Support

You can also use e.g. Cloudflare.com to front your app and provide SSL. Currently this is HTTPS to Cloudflare and then normal HTTP to App Engine. This will protect from any drive-by hacks but would be possible to intercept should an attacker somehow get between CF and GAE. This technique is described here: http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine