spring-security/docs/modules/ROOT/pages/reactive/exploits/http.adoc

[[webflux-http]]
= HTTP

All HTTP-based communication should be protected with xref:features/exploits/http.adoc#http[using TLS].

This section covers details about using WebFlux-specific features that assist with HTTPS usage.

[[webflux-http-redirect]]
== Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.

The following Java configuration redirects any HTTP requests to HTTPS:

.Redirect to HTTPS
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(withDefaults());
	return http.build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps { }
    }
}
----
======

You can wrap the configuration can be wrapped around an `if` statement to be turned on only in production.
Alternatively, you can enable it by looking for a property about the request that happens only in production.
For example, if the production environment adds a header named `X-Forwarded-Proto`, you should use the following Java Configuration:

.Redirect to HTTPS when X-Forwarded
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(redirect -> redirect
			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
		);
	return http.build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps {
            httpsRedirectWhen {
                it.request.headers.containsKey("X-Forwarded-Proto")
            }
        }
    }
}
----
======

[[webflux-hsts]]
== Strict Transport Security

Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.

[[webflux-http-proxy-server]]
== Proxy Server Configuration

Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00			`[[webflux-http]]`
			`= HTTP`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00
Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00			`All HTTP-based communication should be protected with xref:features/exploits/http.adoc#http[using TLS].`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`This section covers details about using WebFlux-specific features that assist with HTTPS usage.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00
			`[[webflux-http-redirect]]`
			`== Redirect to HTTPS`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`The following Java configuration redirects any HTTP requests to HTTPS:`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00
			`.Redirect to HTTPS`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 14:43:23 +02:00			`[source,java,role="primary"]`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00			`----`
			`@Bean`
Remove exceptions from lambda security configuration Fixes: gh-7128 2019-07-24 12:15:32 -04:00			`SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00			`http`
			`// ...`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 09:31:10 -04:00			`.redirectToHttps(withDefaults());`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00			`return http.build();`
			`}`
			`----`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 14:43:23 +02:00
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`Kotlin::`
			`+`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 14:43:23 +02:00			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {`
			`return http {`
			`// ...`
			`redirectToHttps { }`
			`}`
			`}`
			`----`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`======`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			You can wrap the configuration can be wrapped around an `if` statement to be turned on only in production.
			`Alternatively, you can enable it by looking for a property about the request that happens only in production.`
			For example, if the production environment adds a header named `X-Forwarded-Proto`, you should use the following Java Configuration:
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00			`.Redirect to HTTPS when X-Forwarded`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 14:43:23 +02:00			`[source,java,role="primary"]`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00			`----`
			`@Bean`
Remove exceptions from lambda security configuration Fixes: gh-7128 2019-07-24 12:15:32 -04:00			`SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00			`http`
			`// ...`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 13:10:36 +01:00			`.redirectToHttps(redirect -> redirect`
			`.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 09:31:10 -04:00			`);`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-18 21:12:37 -05:00			`return http.build();`
			`}`
			`----`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 14:43:23 +02:00
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`Kotlin::`
			`+`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 14:43:23 +02:00			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {`
			`return http {`
			`// ...`
			`redirectToHttps {`
			`httpsRedirectWhen {`
			`it.request.headers.containsKey("X-Forwarded-Proto")`
			`}`
			`}`
			`}`
			`}`
			`----`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`======`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00
			`[[webflux-hsts]]`
			`== Strict Transport Security`

mkdir -p build/ids find -name ".adoc" \| xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[\|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[\|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file} find docs/modules -name ".adoc"\|while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/*.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else sed -i -E "s%<<$id(\|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace fi done done 2021-07-30 16:56:54 -05:00			`Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 15:49:51 -06:00
			`[[webflux-http-proxy-server]]`
			`== Proxy Server Configuration`

overview/ -> ../ 2021-08-10 15:21:42 -05:00			`Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].`