# HTTP All HTTP based communication, including [static resources](https://www.troyhunt.com/heres-why-your-static-website-needs-https/), should be protected [using TLS](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html). As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. However, it does provide a number of features that help with HTTPS usage. ## Redirect to HTTPS When a client uses HTTP, Spring Security can be configured to redirect to HTTPS both [Servlet](../../servlet/exploits/http.html#servlet-http-redirect) and [WebFlux](../../reactive/exploits/http.html#webflux-http-redirect) environments. ## Strict Transport Security Spring Security provides support for [Strict Transport Security](headers.html#headers-hsts) and enables it by default. ## Proxy Server Configuration When using a proxy server it is important to ensure that you have configured your application properly. For example, many applications will have a load balancer that responds to request for [https://example.com/](https://example.com/) by forwarding the request to an application server at [https://192.168.1:8080](https://192.168.1:8080). Without proper configuration, the application server will not know that the load balancer exists and treat the request as though [https://192.168.1:8080](https://192.168.1:8080) was requested by the client. To fix this you can use [RFC 7239](https://tools.ietf.org/html/rfc7239) to specify that a load balancer is being used. To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers. For example Tomcat uses the [RemoteIpValve](https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html) and Jetty uses [ForwardedRequestCustomizer](https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/server/ForwardedRequestCustomizer.html). Alternatively, Spring users can leverage [ForwardedHeaderFilter](https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java). Spring Boot users may use the `server.use-forward-headers` property to configure the application. See the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server) for further details.