When a client uses HTTP, you can configure Spring Security to redirect to HTTPS in both Servlet and WebFlux environments.spring-doc.cn

Spring Security provides support for Strict Transport Security and enables it by default.spring-doc.cn

When using a proxy server, it is important to ensure that you have configured your application properly. For example, many applications have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.0.107 Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.0.107:8080 was requested by the client.spring-doc.cn

To fix this, you can use RFC 7239 to specify that a load balancer is being used. To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers. For example, Tomcat uses RemoteIpValve and Jetty uses ForwardedRequestCustomizer. Alternatively, Spring users can use ForwardedHeaderFilter with the Servlet stack or ForwardedHeaderTransformer with the Reactive stack.spring-doc.cn

Spring Boot users can use the server.forward-headers-strategy property to configure the application. See the Spring Boot documentation for further details.spring-doc.cn