GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Spring Security
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
18492 Commits
61 Branches
369 Tags
120 MiB
 
 
 
 
Tree: c43afbf5e1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c43afbf5e1'
${ noResults }
spring-security/docs/modules/ROOT/pages/reactive/exploits/http.adoc

93 lines
2.3 KiB
Raw Blame History

[[webflux-http]]
= HTTP
All HTTP-based communication should be protected with xref:features/exploits/http.adoc#http[using TLS].
This section covers details about using WebFlux-specific features that assist with HTTPS usage.
[[webflux-http-redirect]]
== Redirect to HTTPS
If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.
The following Java configuration redirects any HTTP requests to HTTPS:
.Redirect to HTTPS
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
// ...
.redirectToHttps(withDefaults());
return http.build();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
redirectToHttps { }
}
}
----
======
You can wrap the configuration can be wrapped around an `if` statement to be turned on only in production.
Alternatively, you can enable it by looking for a property about the request that happens only in production.
For example, if the production environment adds a header named `X-Forwarded-Proto`, you should use the following Java Configuration:
.Redirect to HTTPS when X-Forwarded
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
// ...
.redirectToHttps((redirect) -> redirect
.httpsRedirectWhen((e) -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
);
return http.build();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
redirectToHttps {
httpsRedirectWhen {
it.request.headers.containsKey("X-Forwarded-Proto")
}
}
}
}
----
======
[[webflux-hsts]]
== Strict Transport Security
Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.
[[webflux-http-proxy-server]]
== Proxy Server Configuration
Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].