spring-security/docs/modules/ROOT/pages/features/exploits/http.adoc

[[http]]
= HTTP

All HTTP-based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected by https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS].

As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.
However, it does provide a number of features that help with HTTPS usage.

[[http-redirect]]
== Redirect to HTTPS

When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both xref:servlet/exploits/http.adoc#servlet-http-redirect[Servlet] and xref:reactive/exploits/http.adoc#webflux-http-redirect[WebFlux] environments.

[[http-hsts]]
== Strict Transport Security

Spring Security provides support for xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default.

[[http-proxy-server]]
== Proxy Server Configuration

When using a proxy server, it is important to ensure that you have configured your application properly.
For example, many applications have a load balancer that responds to request for `\https://example.com/` by forwarding the request to an application server at `\https://192.168.0.107`
Without proper configuration, the application server can not know that the load balancer exists and treats the request as though `\https://192.168.0.107:8080` was requested by the client.

To fix this, you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers.
For example, Tomcat uses https://tomcat.apache.org/tomcat-10.1-doc/api/org/apache/catalina/valves/RemoteIpValve.html[`RemoteIpValve`] and Jetty uses https://eclipse.dev/jetty/javadoc/jetty-11/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[`ForwardedRequestCustomizer`].
Alternatively, Spring users can use https://docs.spring.io/spring-framework/reference/web/webmvc/filters.html#filters-forwarded-headers[`ForwardedHeaderFilter`] with the Servlet stack or https://docs.spring.io/spring-framework/reference/web/webflux/reactive-spring.html#webflux-forwarded-headers[`ForwardedHeaderTransformer`] with the Reactive stack.

Spring Boot users can use the `server.forward-headers-strategy` property to configure the application.
See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.use-behind-a-proxy-server[Spring Boot documentation] for further details.
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00			`[[http]]`
			`= HTTP`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`All HTTP-based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected by https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS].`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.`
			`However, it does provide a number of features that help with HTTPS usage.`

			`[[http-redirect]]`
			`== Redirect to HTTPS`

Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 17:57:36 -05:00			`When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both xref:servlet/exploits/http.adoc#servlet-http-redirect[Servlet] and xref:reactive/exploits/http.adoc#webflux-http-redirect[WebFlux] environments.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`[[http-hsts]]`
			`== Strict Transport Security`

overview/ -> ../ 2021-08-10 16:21:42 -04:00			`Spring Security provides support for xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default.`
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
			`[[http-proxy-server]]`
			`== Proxy Server Configuration`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`When using a proxy server, it is important to ensure that you have configured your application properly.`
Update http.adoc 2023-11-06 05:04:30 -05:00			For example, many applications have a load balancer that responds to request for `\https://example.com/` by forwarding the request to an application server at `\https://192.168.0.107`
			Without proper configuration, the application server can not know that the load balancer exists and treats the request as though `\https://192.168.0.107:8080` was requested by the client.
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`To fix this, you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.`
			`To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers.`
Update links in adocs Spring Security 6.0 requires Spring 6.0 as a minimum and Spring 6.0 requires a minimum of Tomcat 10/Jetty 11 Closes gh-13565 2023-07-19 21:26:08 -04:00			For example, Tomcat uses https://tomcat.apache.org/tomcat-10.1-doc/api/org/apache/catalina/valves/RemoteIpValve.html[`RemoteIpValve`] and Jetty uses https://eclipse.dev/jetty/javadoc/jetty-11/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[`ForwardedRequestCustomizer`].
Update doc references for forwarded headers support This updates references to the deprecated server.use-forward-headers property to the recommended server.forward-headers-strategy property. This also mentions the Reactive ForwardedHeaderTransformer alongside the ForwardedHeaderFilter and updates their links to point to the respective reference docs. 2023-09-28 15:27:36 -04:00			Alternatively, Spring users can use https://docs.spring.io/spring-framework/reference/web/webmvc/filters.html#filters-forwarded-headers[`ForwardedHeaderFilter`] with the Servlet stack or https://docs.spring.io/spring-framework/reference/web/webflux/reactive-spring.html#webflux-forwarded-headers[`ForwardedHeaderTransformer`] with the Reactive stack.
Extract HTTPS Documentation Fixes gh-7626 2019-11-25 16:49:51 -05:00
Update doc references for forwarded headers support This updates references to the deprecated server.use-forward-headers property to the recommended server.forward-headers-strategy property. This also mentions the Reactive ForwardedHeaderTransformer alongside the ForwardedHeaderFilter and updates their links to point to the respective reference docs. 2023-09-28 15:27:36 -04:00			Spring Boot users can use the `server.forward-headers-strategy` property to configure the application.
			`See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.use-behind-a-proxy-server[Spring Boot documentation] for further details.`