github
/
spring-security
spegling av https://github.com/spring-projects/spring-security


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
							[[webflux-http]]
= HTTP

All HTTP-based communication should be protected with xref:features/exploits/http.adoc#http[using TLS].

This section covers details about using WebFlux-specific features that assist with HTTPS usage.

[[webflux-http-redirect]]
== Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.

The following Java configuration redirects any HTTP requests to HTTPS:

.Redirect to HTTPS
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(withDefaults());
	return http.build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps { }
    }
}
----
======

You can wrap the configuration can be wrapped around an `if` statement to be turned on only in production.
Alternatively, you can enable it by looking for a property about the request that happens only in production.
For example, if the production environment adds a header named `X-Forwarded-Proto`, you should use the following Java Configuration:

.Redirect to HTTPS when X-Forwarded
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps((redirect) -> redirect
			.httpsRedirectWhen((e) -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
		);
	return http.build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps {
            httpsRedirectWhen {
                it.request.headers.containsKey("X-Forwarded-Proto")
            }
        }
    }
}
----
======

[[webflux-hsts]]
== Strict Transport Security

Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.

[[webflux-http-proxy-server]]
== Proxy Server Configuration

Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].