Secure your app with minimum TLS (flexible environment)
Stay organized with collectionsSave and categorize content based on your preferences.
To increase security, starting in March 2025, support for Transport Layer Security (TLS) version 1.1 and earlier is deprecated.Update your application settingsin the App Engine flexible environment to use TLS version 1.2 and later, along with a corresponding secure set of cipher suites.
When you select the latest TLS version, App Engine automatically
blocks insecure traffic, without requiring you toconfigurea
global external Application Load Balancer to route requests to your application.
To upgrade your existing applications to use
only TLS version 1.2 and later, follow theinstructionsin this
guide.
Supported TLS versions and cipher suites
The security of TLS connections depends on the negotiated cipher suite, a
combination of cryptographic algorithms. These cipher suites are identified by
IANA values, as detailed in the following table:
In theApplication settingstab, clickEdit application settings.
From theSSL Policylist, selectTLS 1.2+ (Modern ciphers).
This selection only allows TLS version 1.2 and later, with modern cipher
suites. If you want to allow less secure TLS versions,
such as 1.0 and later, selectTLS 1.0+ (Obsolete). However, we
recommend that you update your applications to use the latestsupportedTLS version.
ClickSave.
gcloud
When you create or update your application, use the--ssl-policyflag to
specify the minimum permitted TLS version.
To set a minimum TLS version while creating your app:
gcloud app create --ssl-policy=TLS_VERSION
To set a minimum TLS version while updating your app:
gcloud app update --ssl-policy=TLS_VERSION
ReplaceTLS_VERSIONwithTLS_VERSION_1_2. This only allows TLS version
1.2 and later, with modern cipher suites. If you want to allow less secure TLS version,
such as, 1.0 and later, replaceTLS_VERSIONwithTLS_VERSION_1_0. However, we recommend that you update your
applications to use the latestsupportedTLS version.
Disable custom TLS versions and ciphers
If you update your application settings to use TLS version 1.2 and later, App Engine automatically blocks all insecure traffic using TLS version 1.1 and earlier.
If you useCloud Load Balancing and serverless NEGSto route traffic to your App Engine application, you can disable a TLS
version or cipher by defining anSSL security policy. Specify the TLS versions and ciphers that HTTPS or SSL
connections can use.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis webpage's feature is currently unavailable.\u003c/p\u003e\n"],["\u003cp\u003eThe feature will be launched soon.\u003c/p\u003e\n"]]],[],null,["# Secure your app with minimum TLS (flexible environment)\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nTo increase security, starting in March 2025, support for Transport Layer Security (TLS) version 1.1 and earlier is deprecated. [Update your application settings](#update-tls) in the App Engine flexible environment to use TLS version 1.2 and later, along with a corresponding secure set of cipher suites.\n|\n| **Preview\n| --- Secure your app with minimum TLS**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nWhen you select the latest TLS version, App Engine automatically\nblocks insecure traffic, without requiring you to\n[configure](/load-balancing/docs/https/setting-up-https-serverless) a\nglobal external Application Load Balancer to route requests to your application.\n\nTo upgrade your existing applications to use\nonly TLS version 1.2 and later, follow the [instructions](#update-tls) in this\nguide.\n| **Note:** If you update your application settings to enforce TLS version 1.2 and later, App Engine automatically rejects incoming requests that attempt to use older, less secure TLS versions 1.1 and earlier. Before March 2026, this rejection causes a `400 Bad Request - The request was malformed` error, after a successful TLS handshake, meaning the connection is established, but the request itself is denied. External SSL-checking sites might only verify a successful TLS handshake, and incorrectly imply that TLS version 1.1 and earlier are still supported. After March 2026, App Engine ensures stricter security compliance by preventing the TLS handshake itself for connections using TLS version 1.1 and earlier.\n\nSupported TLS versions and cipher suites\n----------------------------------------\n\nThe security of TLS connections depends on the negotiated cipher suite, a\ncombination of cryptographic algorithms. These cipher suites are identified by\nIANA values, as detailed in the following table:\n\nIf you need to use a different or a less restrictive cipher suite, we recommend\nthat you use a global external Application Load Balancer. For more information, see [Set up a classic Application Load Balancer with App Engine](/load-balancing/docs/https/setting-up-https-serverless) and [SSL policies for SSL and TLS protocols](/load-balancing/docs/ssl-policies-concepts#defining_an_ssl_policy) in the Cloud Load Balancing documentation.\n\nUpdate the TLS versions allowed for your app\n--------------------------------------------\n\nYou can update the TLS version using the Google Cloud console or the\ngcloud CLI. For tool-specific steps, click the tab for your preferred\ntool: \n\n### Console\n\n1. In the Google Cloud console, go to the App Engine **Settings** page:\n\n [Go to Settings](https://console.cloud.google.com/appengine/settings)\n2. In the **Application settings** tab, click **Edit application settings**.\n\n3. From the **SSL Policy** list, select **TLS 1.2+ (Modern ciphers)** .\n This selection only allows TLS version 1.2 and later, with modern cipher\n suites. If you want to allow less secure TLS versions,\n such as 1.0 and later, select **TLS 1.0+ (Obsolete)** . However, we\n recommend that you update your applications to use the latest [supported](#supported-versions) TLS version.\n\n4. Click **Save**.\n\n### gcloud\n\nWhen you create or update your application, use the `--ssl-policy` flag to\nspecify the minimum permitted TLS version.\n\nTo set a minimum TLS version while creating your app: \n\n gcloud app create --ssl-policy=\u003cvar translate=\"no\"\u003eTLS_VERSION\u003c/var\u003e\n\nTo set a minimum TLS version while updating your app: \n\n gcloud app update --ssl-policy=\u003cvar translate=\"no\"\u003eTLS_VERSION\u003c/var\u003e\n\nReplace \u003cvar translate=\"no\"\u003eTLS_VERSION\u003c/var\u003e with `TLS_VERSION_1_2`. This only allows TLS version\n1.2 and later, with modern cipher suites. If you want to allow less secure TLS version,\nsuch as, 1.0 and later, replace \u003cvar translate=\"no\"\u003eTLS_VERSION\u003c/var\u003e with `TLS_VERSION_1_0`. However, we recommend that you update your\napplications to use the latest [supported](#supported-versions) TLS version.\n\nDisable custom TLS versions and ciphers\n---------------------------------------\n\nIf you update your application settings to use TLS version 1.2 and later, App Engine automatically blocks all insecure traffic using TLS version 1.1 and earlier.\n\nIf you use\n[Cloud Load Balancing and serverless NEGS](/load-balancing/docs/negs/serverless-neg-concepts)\nto route traffic to your App Engine application, you can disable a TLS\nversion or cipher by defining an [SSL security policy](/load-balancing/docs/ssl-policies-concepts). Specify the TLS versions and ciphers that HTTPS or SSL\nconnections can use.\n\nWhat's next\n-----------\n\n- To verify and manage SSL certificates, see [Secure custom domains with SSL](/appengine/docs/flexible/securing-custom-domains-with-ssl).\n\n- To enable Cloud Load Balancing to manage incoming requests to your custom domain, see\n [Migrate App Engine custom domain to Cloud Load Balancing](/appengine/docs/flexible/custom-domain-to-cloud-load-balancing)."]]
