22. Redirect to HTTPS

22. Redirect to HTTPS
Prev	Part III. Reactive Applications	Next

HTTPS is required to provide a secure application. Spring Security can be configured to perform a redirect to https using the following Java Configuration:

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
        // ...
        .redirectToHttps(withDefaults());
    return http.build();
}

The configuration can easily be wrapped around an if statement to only be turned on in production. Alternatively, it can be enabled by looking for a property about the request that only happens in production. For example, if the production environment adds a header named X-Forwarded-Proto the following Java Configuration could be used:

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
        // ...
        .redirectToHttps(redirectToHttps ->
            redirectToHttps
                .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
        );
    return http.build();
}

Prev	Up	Next
21. Default Security Headers	Home	23. OAuth2 WebFlux