mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-05 15:57:26 +00:00
f01a13aa52
mkdir -p docs/modules/ROOT/ mkdir -p docs/modules/ROOT/pages/ git checkout antora-2.x docs/antora.yml git checkout antora-2.x docs/modules/ROOT/nav.adoc mv docs/manual/src/docs/asciidoc/images docs/modules/ROOT/ mv docs/manual/src/docs/asciidoc/_includes/* docs/modules/ROOT/pages/ cp ~/code/rwinch/spring-reference/*antora* ~/code/spring-projects/spring-security/ mv docs/modules/ROOT/pages/about docs/modules/ROOT/pages/overview
33 lines
2.3 KiB
Plaintext
33 lines
2.3 KiB
Plaintext
[[http]]
|
|
= HTTP
|
|
|
|
All HTTP based communication, including https://www.troyhunt.com/heres-why-your-static-website-needs-https/[static resources], should be protected https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html[using TLS].
|
|
|
|
As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly.
|
|
However, it does provide a number of features that help with HTTPS usage.
|
|
|
|
[[http-redirect]]
|
|
== Redirect to HTTPS
|
|
|
|
When a client uses HTTP, Spring Security can be configured to redirect to HTTPS both <<servlet-http-redirect,Servlet>> and <<webflux-http-redirect,WebFlux>> environments.
|
|
|
|
[[http-hsts]]
|
|
== Strict Transport Security
|
|
|
|
Spring Security provides support for <<headers-hsts,Strict Transport Security>> and enables it by default.
|
|
|
|
[[http-proxy-server]]
|
|
== Proxy Server Configuration
|
|
|
|
When using a proxy server it is important to ensure that you have configured your application properly.
|
|
For example, many applications will have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080.
|
|
Without proper configuration, the application server will not know that the load balancer exists and treat the request as though https://192.168.1:8080 was requested by the client.
|
|
|
|
To fix this you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
|
|
To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers.
|
|
For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer].
|
|
Alternatively, Spring users can leverage https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[ForwardedHeaderFilter].
|
|
|
|
Spring Boot users may use the `server.use-forward-headers` property to configure the application.
|
|
See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server[Spring Boot documentation] for further details.
|