[[webflux-http]] = HTTP All HTTP-based communication should be protected with xref:features/exploits/http.adoc#http[using TLS]. This section covers details about using WebFlux-specific features that assist with HTTPS usage. [[webflux-http-redirect]] == Redirect to HTTPS If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS. The following Java configuration redirects any HTTP requests to HTTPS: .Redirect to HTTPS ==== .Java [source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(withDefaults()); return http.build(); } ---- .Kotlin [source,kotlin,role="secondary"] ---- @Bean fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... redirectToHttps { } } } ---- ==== You can wrap the configuration can be wrapped around an `if` statement to be turned on only in production. Alternatively, you can enable it by looking for a property about the request that happens only in production. For example, if the production environment adds a header named `X-Forwarded-Proto`, you should use the following Java Configuration: .Redirect to HTTPS when X-Forwarded ==== .Java [source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(redirect -> redirect .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } ---- .Kotlin [source,kotlin,role="secondary"] ---- @Bean fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... redirectToHttps { httpsRedirectWhen { it.request.headers.containsKey("X-Forwarded-Proto") } } } } ---- ==== [[webflux-hsts]] == Strict Transport Security Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default. [[webflux-http-proxy-server]] == Proxy Server Configuration Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].