For the latest stable version, please use Spring Security 6.4.0!

Proxy Server Configuration

When using a proxy server it is important to ensure that you have configured your application properly. For example, many applications will have a load balancer that responds to request for example.com/ by forwarding the request to an application server at 192.168.1:8080 Without proper configuration, the application server will not know that the load balancer exists and treat the request as though 192.168.1:8080 was requested by the client.

To fix this you can use RFC 7239 to specify that a load balancer is being used. To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers. For example Tomcat uses the RemoteIpValve and Jetty uses ForwardedRequestCustomizer. Alternatively, Spring 4.3+ users can leverage ForwardedHeaderFilter.

Spring Boot users may use the server.use-forward-headers property to configure the application. See the Spring Boot documentation for further details.