Skip to content

Spring 中文文档社区
Spring 中文文档社区

开发云 / Spring 中文文档社区

通知 435
Star 128
Fork 144
Spring 中文文档社区
Spring 中文文档社区

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
reactive-exploits-http.md 2.0 KB
编辑Web IDE
Newer Older
茶陵後's avatar
#1 添加英文原文  
茶陵後 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 
# HTTP

All HTTP based communication should be protected [using TLS](../../features/exploits/http.html#http).

Below you can find details around WebFlux specific features that assist with HTTPS usage.

## Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.

For example, the following Java configuration will redirect any HTTP requests to HTTPS:

Example 1. Redirect to HTTPS

Java

```
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(withDefaults());
	return http.build();
}
```

Kotlin

```
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps { }
    }
}
```

The configuration can easily be wrapped around an if statement to only be turned on in production.
Alternatively, it can be enabled by looking for a property about the request that only happens in production.
For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:

Example 2. Redirect to HTTPS when X-Forwarded

Java

```
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(redirect -> redirect
			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
		);
	return http.build();
}
```

Kotlin

```
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps {
            httpsRedirectWhen {
                it.request.headers.containsKey("X-Forwarded-Proto")
            }
        }
    }
}
```

## Strict Transport Security

Spring Security provides support for [Strict Transport Security](../../servlet/exploits/headers.html#servlet-headers-hsts) and enables it by default.

## Proxy Server Configuration

Spring Security [integrates with proxy servers](../../features/exploits/http.html#http-proxy-server).