Allows finding and replacing
http:// with exclusions on URLs that
https:// cannot be used.
Today it is important for everything, including static sites, to be over https.
It can be difficult to switch to
https:// and then to maintain using
This is the core project that allows finding and replacing
For additional integrations refer to https://github.com/spring-io/nohttp
The recommended process for determining if it is ok to use
httpsis possible then use
If you cannot use
https, then consider the following:
If your project uses the URL to make a request over a network, then you need to use
It is acceptable to use
localhostto make a request using
httpsince it does not leave the machine
If you need to test URLs that use
http, then consider using TLD of
localhostas defined by rfc2606.
Links that users click on should prefer
https, but if the site does not support
httpsyou may decide to whitelist the URL
If the link is an XML namespace name (which is just an identifier), then you can use
http. The XML namespace location should still be
Whitelisted HTTP URLs
There are times when URLs cannot use
https:// that are beyond our control.
Fortunately, nohttp provides a default whitelist and whitelisting additional URLs.
The default whitelist includes a whitelist that impacts these primary categories:
We will not add a whitelist entry for arbitrary sites that do not support
The reasoning is that context is important.
A specific project may provide a link to a site that does not support https.
Ideally that site is updated to support https, but it is not considered a vulnerability.
This means that the URL could be added to your custom whitelist.
However, another project may be downloading from the same site that does not support https.
In this case it is a vulnerability and needs to be fixed.
Since nohttp cannot understand the context, it will not whitelist arbitrary sites that do not support
Adding Custom Rules
This project provides a default whitelist. However, other projects may end up with their own usecases. Fortunately, nohttp supports custom whitelist as well.
You can invoke
RegexHttpMatcher.addHttpUrlWhitelist(Predicate<String>) to add whitelists to the existing whitelist.
The input to the
Predicate is the URL that was found and should be checked as whitelisted or not.
The simplest way to add custom whitelist is to use
The format of the InputStream is defined as:
Each line contains a regular expression that should be whitelisted
Lines can begin with
//to create a comment within the file
Lines are trimmed for whitespace
Lines that are empty are ignored
// Ignore Maven XML Namespace id of http://maven.apache.org/POM/4.0.0 ^http://maven\.apache\.org/POM/4.0.0$ // Whitelist Company XML namespace names but not the locations (which end in .xsd) ^http://mycompany.test/xml/.*(?<!\.(xsd))$