Changes to organization security settings

An ArcGIS Online update earlier this year introduced a couple of changes to the security settings available for your ArcGIS Online organization. The changes are related to the Allow access to the organization through HTTPS only and Allow only standard SQL queries security settings. To help ensure a secure platform for your organization’s hosted resources, we’ve made a few changes to these settings.  If your organization already has these options enabled, you’re set! You will no longer see them as configurable options in your organization’s settings. If you have one or both options disabled, you will see a Warning banner with a recommendation that you enable these options for your organization. These changes are part of a larger commitment to providing a secure platform. In 2019, you will see additional security enhancements to the ArcGIS platform. Esri’s Chief Information Security Officer, Michael Young, detailed these enhancements in a recent blog post, 2019 ArcGIS Transport Security Improvements.


ArcGIS Online security policies
ArcGIS Online security policies

Why HTTPS matters for your organization

HTTPS helps secure your organization’s assets. For instance, when you view data (as part of a layer, map, or app) or collect data (as part of a survey, for example), HTTPS helps ensure nobody can see the data aside from the people you share it with. Many government agencies, especially at the federal level, have stringent requirements for how data must be secured. Esri has done a considerable amount of work to meet these requirements (adhering to guidelines from FedRamp, FISMA, and GDRP to name a few), and will continue to enhance security for ArcGIS Online and the ArcGIS platform overall. See ArcGIS Trust Center for more information regarding Esri’s compliance with these initiatives.

When the HTTPS only setting is enabled for your organization, your data hosted in ArcGIS Online can only be accessed over HTTPS. HTTP is effectively disabled. Any communication between you (or anyone else) and your ArcGIS Online organization is only over HTTPS, whether that is through a browser, device or desktop application.

With a cloud-based SaaS such as ArcGIS Online, using HTTPS for communication over the internet is one of the most important steps you can take to secure sensitive information.

Additionally, the main browsers (Google Chrome, Mozilla Firefox, Microsoft Edge / Internet Explorer 11, and Apple Safari) are becoming increasingly strict with HTTP traffic, with browser updates frequently introducing tighter controls that either alert you to security issues with websites or block you from visiting websites the browser deems unsafe.

See Why should my organization use HTTPS only? for more information.

How to upgrade your organization to HTTPS only

To enable the HTTPS only setting for your organization, go to the settings tab of your organization page and select Security. In the Policies section, you will see Allow access to the organization with HTTPS only under the Warning banner. If you don’t see this option or the option is enabled, your organization is already enabled for HTTPS only!

Here are a few items to consider when enabling the HTTPS only setting for your organization.

Stay tuned for an upcoming post with more instructions on updating your organization to HTTPS only.

Allow only Standard SQL Queries

SQL is a scripting language commonly used by developers when working with feature data hosted in ArcGIS Online. Standardized SQL is a specific version of SQL and is generally regarded as more secure. All ArcGIS apps support standardized SQL. As such, it’s no longer necessary to expose standardized SQL as a configurable option for your organization.

Esri recommends that your ArcGIS Online organization allow only standard SQL queries.  If your organization already has this organization security option enabled, you will no longer see it as a configurable option. If your organization does not have the option enabled, you will see the option under the Warning banner in the Security section of your organization’s settings.

To learn more, see Standardized SQL functions in ArcGIS Online.

Additional reading

To learn more about HTTPS, check out the additional resources provided below.  A good resource is The HTTPS-Only Standard, a website provided by the US government that details how federal websites should be secured. While the focus is on websites for the federal government, most of the information can be considered best practices for any website.

Below are specific resources that discuss HTTPS and overall security and privacy. Visit ArcGIS Trust Center for more information regarding Esri’s commitment to security and compliance.

Esri’s Committment to GDPR, Privacy & Security

ArcGIS Platform SSL/TLS Support and Configuration Briefing

ArcGIS Online FedRAMP Authorization & New Security Advisor Tool

Sharing Web GIS Services? Always enable TLS

ArcGIS Enterprise and SSL considerations

Google Developer presentation on HTTPS everywhere


About the author

Chris is a product engineer for ArcGIS Online.

Next Article

ArcGIS Urban & ArcGIS CityEngine: A Complete Master Planning Solution for Local Government

Read this article