This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.1!

HTTP

All HTTP-based communication, including static resources, should be protected by using TLS.

As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. However, it does provide a number of features that help with HTTPS usage.

Redirect to HTTPS

When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both Servlet and WebFlux environments.

Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.

Proxy Server Configuration

When using a proxy server, it is important to ensure that you have configured your application properly. For example, many applications have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.0.107 Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.0.107:8080 was requested by the client.

To fix this, you can use RFC 7239 to specify that a load balancer is being used. To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers. For example, Tomcat uses RemoteIpValve and Jetty uses ForwardedRequestCustomizer. Alternatively, Spring users can use ForwardedHeaderFilter with the Servlet stack or ForwardedHeaderTransformer with the Reactive stack.

Spring Boot users can use the server.forward-headers-strategy property to configure the application. See the Spring Boot documentation for further details.