This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.2!

HTTP

All HTTP-based communication should be protected using TLS.

This section discusses the details of servlet-specific features that assist with HTTPS usage.

Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.

For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:

Redirect to HTTPS
  • Java

  • Kotlin

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
		return http.build();
	}
}
@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
        return http.build()
    }
}

The following XML configuration redirects all HTTP requests to HTTPS

Redirect to HTTPS with XML Configuration
<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>

Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.

Proxy Server Configuration