spring-security/docs/modules/ROOT/pages/features/exploits/http.adoc

[[http]]
= HTTP

All HTTP-based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected by https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS].

As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.
However, it does provide a number of features that help with HTTPS usage.

[[http-redirect]]
== Redirect to HTTPS

When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both xref:servlet/exploits/http.adoc#servlet-http-redirect[Servlet] and xref:reactive/exploits/http.adoc#webflux-http-redirect[WebFlux] environments.

[[http-hsts]]
== Strict Transport Security

Spring Security provides support for xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default.

[[http-proxy-server]]
== Proxy Server Configuration

When using a proxy server, it is important to ensure that you have configured your application properly.
For example, many applications have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080
Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.1:8080 was requested by the client.

To fix this, you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers.
For example, Tomcat uses https://tomcat.apache.org/tomcat-10.1-doc/api/org/apache/catalina/valves/RemoteIpValve.html[`RemoteIpValve`] and Jetty uses https://eclipse.dev/jetty/javadoc/jetty-11/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[`ForwardedRequestCustomizer`].
Alternatively, Spring users can use https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[`ForwardedHeaderFilter`].

Spring Boot users can use the `server.use-forward-headers` property to configure the application.
See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server[Spring Boot documentation] for further details.
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`[[http]]`
			`= HTTP`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`All HTTP-based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected by https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS].`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.`
			`However, it does provide a number of features that help with HTTPS usage.`

			`[[http-redirect]]`
			`== Redirect to HTTPS`

Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 17:57:36 -05:00			`When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both xref:servlet/exploits/http.adoc#servlet-http-redirect[Servlet] and xref:reactive/exploits/http.adoc#webflux-http-redirect[WebFlux] environments.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`[[http-hsts]]`
			`== Strict Transport Security`

overview/ -> ../ 2021-08-10 16:21:42 -04:00			`Spring Security provides support for xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`[[http-proxy-server]]`
			`== Proxy Server Configuration`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`When using a proxy server, it is important to ensure that you have configured your application properly.`
			`For example, many applications have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080`
			`Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.1:8080 was requested by the client.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`To fix this, you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.`
			`To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers.`
Update links in adocs Spring Security 6.0 requires Spring 6.0 as a minimum and Spring 6.0 requires a minimum of Tomcat 10/Jetty 11 Closes gh-13565 2023-07-19 21:26:08 -04:00			For example, Tomcat uses https://tomcat.apache.org/tomcat-10.1-doc/api/org/apache/catalina/valves/RemoteIpValve.html[`RemoteIpValve`] and Jetty uses https://eclipse.dev/jetty/javadoc/jetty-11/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[`ForwardedRequestCustomizer`].
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			Alternatively, Spring users can use https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[`ForwardedHeaderFilter`].
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			Spring Boot users can use the `server.use-forward-headers` property to configure the application.
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server[Spring Boot documentation] for further details.`