For the latest stable version, please use Spring Security 6.4.1!spring-doc.cn

HTTP

All HTTP based communication should be protected using TLS.spring-doc.cn

Below you can find details around WebFlux specific features that assist with HTTPS usage.spring-doc.cn

Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.spring-doc.cn

For example, the following Java configuration will redirect any HTTP requests to HTTPS:spring-doc.cn

Redirect to HTTPS
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(withDefaults());
	return http.build();
}
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps { }
    }
}

The configuration can easily be wrapped around an if statement to only be turned on in production. Alternatively, it can be enabled by looking for a property about the request that only happens in production. For example, if the production environment adds a header named X-Forwarded-Proto the following Java Configuration could be used:spring-doc.cn

Redirect to HTTPS when X-Forwarded
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(redirect -> redirect
			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
		);
	return http.build();
}
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps {
            httpsRedirectWhen {
                it.request.headers.containsKey("X-Forwarded-Proto")
            }
        }
    }
}

Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.spring-doc.cn

Proxy Server Configuration