mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-04-09 16:58:43 +00:00
58bc03105a
This updates references to the deprecated server.use-forward-headers property to the recommended server.forward-headers-strategy property. This also mentions the Reactive ForwardedHeaderTransformer alongside the ForwardedHeaderFilter and updates their links to point to the respective reference docs.
33 lines
2.5 KiB
Plaintext
33 lines
2.5 KiB
Plaintext
[[http]]
|
|
= HTTP
|
|
|
|
All HTTP-based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected by https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS].
|
|
|
|
As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.
|
|
However, it does provide a number of features that help with HTTPS usage.
|
|
|
|
[[http-redirect]]
|
|
== Redirect to HTTPS
|
|
|
|
When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both xref:servlet/exploits/http.adoc#servlet-http-redirect[Servlet] and xref:reactive/exploits/http.adoc#webflux-http-redirect[WebFlux] environments.
|
|
|
|
[[http-hsts]]
|
|
== Strict Transport Security
|
|
|
|
Spring Security provides support for xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default.
|
|
|
|
[[http-proxy-server]]
|
|
== Proxy Server Configuration
|
|
|
|
When using a proxy server, it is important to ensure that you have configured your application properly.
|
|
For example, many applications have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080
|
|
Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.1:8080 was requested by the client.
|
|
|
|
To fix this, you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
|
|
To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers.
|
|
For example, Tomcat uses https://tomcat.apache.org/tomcat-10.1-doc/api/org/apache/catalina/valves/RemoteIpValve.html[`RemoteIpValve`] and Jetty uses https://eclipse.dev/jetty/javadoc/jetty-11/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[`ForwardedRequestCustomizer`].
|
|
Alternatively, Spring users can use https://docs.spring.io/spring-framework/reference/web/webmvc/filters.html#filters-forwarded-headers[`ForwardedHeaderFilter`] with the Servlet stack or https://docs.spring.io/spring-framework/reference/web/webflux/reactive-spring.html#webflux-forwarded-headers[`ForwardedHeaderTransformer`] with the Reactive stack.
|
|
|
|
Spring Boot users can use the `server.forward-headers-strategy` property to configure the application.
|
|
See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.use-behind-a-proxy-server[Spring Boot documentation] for further details.
|