Clarifying SSL: Google App Engine still doesn't support it, does.

Google App Engine still doesn't support SSL

I'm seeing a lot of misinformation out there that Google App Engine has SSL support. It doesn't.

If you read Google's announcement from last month carefully, you will see that it is titled "Announcing HTTPS support for", not "for Google App Engine" .

"What's the difference?", you may be wondering. It's quite big.

What google supports is SSL for subdomains for So, if you're happy with hosting your application only from your subdomain, then you can use SSL in your application. For example, I have several simple open source apps that I host on Google App Engine, like opencountrycodes and isvat. Since I'm not worried about having custom domains for these, I host them on subdomains (e.g., If I wanted to use HTTPS on these apps, I could and you could hit, for example, to get to the secure version of the site.

The issue arises when you want to use your own domain for your App Engine application. The <head> conference web site, for example, resides at It also has a subdomain on but I don't publicize that. Currently, there is no way I can use SSL on the Head Conference web site as Google App Engine only supports SSL for subdomains (so, if the headconference subdomain on was, I could use SSL on that subdomain).

"So", I can hear you ask, "why don't you just use for everything and for the SSL connections?"

The answer: sessions and usability.

Take this example:

I want to use PayPal to process a payment. My user hits, signs in, and starts the checkout process. I forward the user to PayPal and pass the secure URL of my notification script to PayPal (e.g., When the user returns from PayPal, they are no longer on the site, their session is no longer valid, and they need to sign in again.

In other words, this is not a usable solution for custom domains.

The problem is that implementing SSL on Google App Engine is not a trivial solution. One possible methodx that has been suggested several times in the forums is to use the Server Name Indication (SLI) extension to Transport Layer Security (TLS).

So what is the current state of SSL on Google App Engine? It's still not supported, with the exception of applications that are hosted only at subdomains. In other words — given that most real-world applications, whether commercial or not, will want to be hosted under their own domains — SSL is still not supported for real-world applications on Google App Engine.