All HTTP-based communication should be protected using TLS.
This section discusses the details of servlet-specific features that assist with HTTPS usage.
If a client makes a request using HTTP rather than HTTPS, you can configure Spring Security to redirect to HTTPS.
For example, the following Java or Kotlin configuration redirects any HTTP requests to HTTPS:
Example 1. Redirect to HTTPS
- Java
-
@Configuration @EnableWebSecurity public class WebSecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http // ... .requiresChannel(channel -> channel .anyRequest().requiresSecure() ); return http.build(); } }
- Kotlin
-
@Configuration @EnableWebSecurity class SecurityConfig { @Bean open fun filterChain(http: HttpSecurity): SecurityFilterChain { http { // ... requiresChannel { secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL") } } return http.build() } }
The following XML configuration redirects all HTTP requests to HTTPS
Redirect to HTTPS with XML Configuration
<http>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
Spring Security provides support for Strict Transport Security and enables it by default.
Spring Security integrates with proxy servers.