For the latest stable version, please use Spring Security 6.4.1!

HTTP

All HTTP based communication should be protected using TLS.

Below you can find details around WebFlux specific features that assist with HTTPS usage.

Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.

For example, the following Java configuration will redirect any HTTP requests to HTTPS:

Redirect to HTTPS
  • Java

  • Kotlin

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(withDefaults());
	return http.build();
}
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps { }
    }
}

The configuration can easily be wrapped around an if statement to only be turned on in production. Alternatively, it can be enabled by looking for a property about the request that only happens in production. For example, if the production environment adds a header named X-Forwarded-Proto the following Java Configuration could be used:

Redirect to HTTPS when X-Forwarded
  • Java

  • Kotlin

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(redirect -> redirect
			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
		);
	return http.build();
}
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps {
            httpsRedirectWhen {
                it.request.headers.containsKey("X-Forwarded-Proto")
            }
        }
    }
}

Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.

Proxy Server Configuration