[[webflux-http]] = HTTP All HTTP based communication should be protected xref:overview/features/exploits/http.adoc#http[using TLS]. Below you can find details around WebFlux specific features that assist with HTTPS usage. [[webflux-http-redirect]] == Redirect to HTTPS If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS. For example, the following Java configuration will redirect any HTTP requests to HTTPS: .Redirect to HTTPS ==== .Java [source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(withDefaults()); return http.build(); } ---- .Kotlin [source,kotlin,role="secondary"] ---- @Bean fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... redirectToHttps { } } } ---- ==== The configuration can easily be wrapped around an if statement to only be turned on in production. Alternatively, it can be enabled by looking for a property about the request that only happens in production. For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used: .Redirect to HTTPS when X-Forwarded ==== .Java [source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(redirect -> redirect .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } ---- .Kotlin [source,kotlin,role="secondary"] ---- @Bean fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... redirectToHttps { httpsRedirectWhen { it.request.headers.containsKey("X-Forwarded-Proto") } } } } ---- ==== [[webflux-hsts]] == Strict Transport Security Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default. [[webflux-http-proxy-server]] == Proxy Server Configuration Spring Security xref:overview/features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].