Use of HTTP and HTTPS with ArcGIS

Have you ever found Web Map layers blocked in your application? Or warnings of potentially harmful content? This could be the result of a mix of HTTPS and HTTP content. 

This article will explain the basics of HTTP and HTTPS protocols, and how they affect the ArcGIS Platform. It will also cover some common errors in QuestionWhere and MyNearest, in ArcGIS Online applications, and with sign-ins to ArcMap and Workforce.

What are HTTP and HTTPS?

HTTP (HyperText Transfer Protocol) is a protocol or method for communicating over the Internet. HTTPS (HTTP Secure, or HTTP over SSL)  is the same protocol with added encryption for data security. A request to a website using HTTPS makes use of a certificate so you can be sure the website is what it says it is and that any data you transfer will be securely encrypted.

Increasingly HTTPS is becoming the required protocol. For example in several modern browsers location data can only be transferred via HTTPS.


Why does it matter to ArcGIS users?

The Administrator of an ArcGIS Online organization needs to decide whether access to its content should only be allowed by HTTPS or whether to also allow HTTP requests.

Having mixed content can cause a variety of errors in your content and applications. The specific behaviour depends on your browser and browser version. For example, when you attempt to open an HTTPS layer in an HTTP map view or WebApp, your browser may notify you that you must reload the page in HTTPS and add the layer again. You may also see errors that layers could not be added to the map, but some browsers may successfully load these layers without notification. 


What do I need to do?

1. Decide how to configure your ArcGIS Online organization.

By default ArcGIS Online is configured to allow access to your ArcGIS Online organisation through 'HTTPS only', but this can be disabled. You can change this setting in ArcGIS Online under My Organization > Edit Settings > Security.

Allowing access to your ArcGIS Online organisation through 'HTTPS only' is intended for organizations that only access their own content or content from other HTTPS sources. It is possible to enable HTTPS and have users access additional non-HTTPS content from outside the organization, but this increases the risk of mixing HTTP and HTTPS content in the same app and so getting mixed content errors.

Further details can be found in the configuration guide.


2. Check for consistency

Mixed content can cause errors such as "Unable to add layer to the map" in Web Maps and Apps. If you're getting errors similar to this in maps and apps that you've authored, ensure there's consistency in the protocol you're using.

Check the URLs of any services used in maps and apps. For example, if your ArcGIS Online account is configured to allow access to the organisation through 'HTTPS only' then you can only add HTTPS service URLs to maps and apps.  If not, then some applications will require only HTTP services to avoid mixed content errors.

To help with this, before adding an ArcGIS Server service as an item or layer to ArcGIS Online, check whether the URL you're adding is in HTTP or HTTPS. ArcGIS Server can be configured to use either one of the protocols or both. If your ArcGIS Server is configured for HTTP and HTTPS protocol you can choose which to use when you add the service as an item or layer to ArcGIS Online.


3. Across the ArcGIS platform

Errors relating to the HTTP and HTTPS protocols can occur in:

MyNearest/QuestionWhere apps. These apps support both HTTP and HTTPS requests, however they don’t allow mixed content so you need to use the same protocol as your services. Apps will default to the same protocol as the app builder, so if you need HTTPS use the app builder in HTTPS and vice-versa 

Workforce for ArcGIS now supports online access through HTTPS. So if you allow access to your ArcGIS Online organisation through 'HTTPS only', then you’ll need to use HTTPS to be able to log in as explained in the FAQs

ArcMap publishing. If you allow access to your ArcGIS Online organisation through 'HTTPS only' and want to publish hosted web layers from ArcMap, you need to add your organization to your list of portal connections in the format https://<organization short name>

Embedding Maps and Apps in your own website using the ready-to-use HTML. Ensure the URL in the HTML is in the same protocol as your website. If you allow access to your ArcGIS Online organisation through 'HTTPS only' then this will need to be HTTPS.