Since the appspot.com domain is already signed by Google, you may be able to simply pin that public key; but there if no guarantee that Google will not change it without warning. Therefore using your own SSL certificate (self-signed should work, as the App Engine Managed SSL <https://cloud.google.com/appengine/docs/standard/python/securing-custom-domains-with-ssl#verify_a_managed_certificate_has_been_provisioned> is actually a free LetsEncrypt cert), will ensure the key only changes when you manually make the change and should provide the protection you are looking for.
As a side note, the older 'HPKP' way of pinning is now deprecated <https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/he9tr7p3rZ8> in favor of the safer 'Expect-CT' header. You can also use the 'secure: always' <https://cloud.google.com/appengine/docs/standard/python/config/appref>app.yaml configuration option to force all requests to use HTTPS. - Since Google Groups is reserved for general product discussions, if you require further technical support for implementing SSL pinning it is recommended to post your detailed questions <https://stackoverflow.com/help/how-to-ask> to Stack Exchange <https://cloud.google.com/support/docs/stackexchange> using the supported Cloud tags. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/194595f0-4524-4535-a946-5bbe38250a8c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.