How to properly enable HTTPS on App Engine flex environment and Go?

Question

I am trying to enable HTTPS on my Go App deployed to GAE flex environment. I have my custom domain successfully mapped, and am using Google-managed SSL certificates. I have app.yaml configured to redirect HTTP to HTTPS as follows:

handlers:
- url: /.*
  script: _go_app
  secure: always

Now there are two problems that I haven't been able to resolve so far.

First, the above configuration is supposed to redirect HTTP traffic to HTTPS, but apparently it is not happening.

Second, when I add https:// in the url box, I see three different behavior on Firefox, Chrome, and Edge. Edge identifies the website as secure, Firefox marks the website as secure connection, but says that it "has blocked parts of this page that are not secure", and surprisingly Chrome marks the website as Not secure (though it says certificate is valid!).

With these symptoms I was wondering if I should take additional steps to make redirecting and SSL work for my website? Specifically, I would like to know with App Engine, and managed SSL enabled:

1. Should I continue serving pages on HTTP using http.ListenAndServe(..), or need to switch to http.ListenAndServeTLS(..)?

2. In my Go app should I redirect HTTP to HTTPS? or the above setting is expected to work just fine?

Thanks in advance for your help and advice.

PS: Trying out with different suggestions, I added Strict-Transport-Security: max-age=31536000; includeSubDomains to handlers' response. Does not seem if this helped with redirection either.

EDIT/PARTIAL ANSWER:

According to this documentation, under Authentication changes, the secure and login handlers are deprecated. The documentation suggests using Strict-Transport-Security or X-Forwarded-Proto instead.

I am using Strict-Transport-Security on the server side to enrich my response header:

func (h *STLHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
    w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
    h.nextHandler.ServeHTTP(w, req)
}

I was wondering if I am using this header in the right place?

Answer 1

For the second set of my problems I realized I have mixed content on my page. My mixed content was a http link to a set of fonts. When I fixed the mixed content, i.e. changed http to https, both Chrome and Firefox security warnings disappeared. You may also find this page Avoiding the Not Secure Warning in Chrome useful on this matter.

Answer 2

You need to check your app using:

http://[YOUR_PROJECT_ID].appspot.com

Or if you nedd HTTPS:

https://[YOUR_PROJECT_ID].appspot.com

If you want your own certificate you will need to upload it and then be available to use: https://your-domain.tld

From the docs:

• For APIs that will be hosted on App Engine flexible environment, you must use the appspot.com domain, and the service name must be in the following format: YOUR_PROJECT_ID.appspot.com

  When you deploy your API to App Engine, a DNS entry with a name in the format YOUR_PROJECT_ID.appspot.com is created automatically.

• For APIs that will be hosted on Compute Engine, Kubernetes Engine, or Kubernetes, you must use the cloud.goog domain, and the service name must be in the following format: YOUR_API_NAME.endpoints.YOUR_PROJECT_ID.cloud.goog

Or you could just put a CDN in front like Cloudflare which will do all the SSL termination for you and if required redirect all HTTP to HTTPS