This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.3.4! |
HTTP
All HTTP-based communication, including static resources, should be protected by using TLS.
As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. However, it does provide a number of features that help with HTTPS usage.
Strict Transport Security
Spring Security provides support for Strict Transport Security and enables it by default.
Proxy Server Configuration
When using a proxy server, it is important to ensure that you have configured your application properly.
For example, many applications have a load balancer that responds to request for https://example.com/
by forwarding the request to an application server at https://192.168.0.107
Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.0.107:8080
was requested by the client.
To fix this, you can use RFC 7239 to specify that a load balancer is being used.
To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers.
For example, Tomcat uses RemoteIpValve
and Jetty uses ForwardedRequestCustomizer
.
Alternatively, Spring users can use ForwardedHeaderFilter
with the Servlet stack or ForwardedHeaderTransformer
with the Reactive stack.
Spring Boot users can use the server.forward-headers-strategy
property to configure the application.
See the Spring Boot documentation for further details.