spring-security/docs/modules/ROOT/pages/servlet/exploits/http.adoc

[[servlet-http]]
= HTTP

All HTTP-based communication should be protected xref:features/exploits/http.adoc#http[using TLS].

This section discusses the details of servlet-specific features that assist with HTTPS usage.

[[servlet-http-redirect]]
== Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.

For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:

.Redirect to HTTPS
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
		return http.build();
	}
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
        return http.build()
    }
}
----
======

The following XML configuration redirects all HTTP requests to HTTPS

.Redirect to HTTPS with XML Configuration
[source,xml]
----
<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
----


[[servlet-hsts]]
== Strict Transport Security

Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-headers-hsts[Strict Transport Security] and enables it by default.

[[servlet-http-proxy-server]]
== Proxy Server Configuration

Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].