servlet-exploits-http.md

# HTTP

All HTTP based communication should be protected [using TLS](../../features/exploits/http.html#http).

Below you can find details around Servlet specific features that assist with HTTPS usage.

## Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.

For example, the following Java configuration will redirect any HTTP requests to HTTPS:

Example 1. Redirect to HTTPS

Java

```
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends
		WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) {
		http
			// ...
			.requiresChannel(channel -> channel
				.anyRequest().requiresSecure()
			);
	}
}
```

Kotlin

```
@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http {
            // ...
            requiresChannel {
                secure(AnyRequestMatcher.INSTANCE, "REQUIRES_SECURE_CHANNEL")
            }
        }
    }
}
```

The following XML configuration will redirect all HTTP requests to HTTPS

Example 2. Redirect to HTTPS with XML Configuration

```
<http>
	<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
...
</http>
```

## Strict Transport Security

Spring Security provides support for [Strict Transport Security](headers.html#servlet-headers-hsts) and enables it by default.

## Proxy Server Configuration

Spring Security [integrates with proxy servers](../../features/exploits/http.html#http-proxy-server).

[Security HTTP Response Headers](headers.html)[HttpFirewall](firewall.html)