All HTTP based communication, including static resources (opens new window), should be protected using TLS (opens new window).

As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. However, it does provide a number of features that help with HTTPS usage.

# Redirect to HTTPS

When a client uses HTTP, Spring Security can be configured to redirect to HTTPS both Servlet and WebFlux environments.

# Strict Transport Security

Spring Security provides support for Strict Transport Security and enables it by default.

# Proxy Server Configuration

When using a proxy server it is important to ensure that you have configured your application properly. For example, many applications will have a load balancer that responds to request for https://example.com/ (opens new window) by forwarding the request to an application server at https://192.168.1:8080 (opens new window). Without proper configuration, the application server will not know that the load balancer exists and treat the request as though https://192.168.1:8080 (opens new window) was requested by the client.

To fix this you can use RFC 7239 (opens new window) to specify that a load balancer is being used. To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers. For example Tomcat uses the RemoteIpValve (opens new window) and Jetty uses ForwardedRequestCustomizer (opens new window). Alternatively, Spring users can leverage ForwardedHeaderFilter (opens new window).

Spring Boot users may use the server.use-forward-headers property to configure the application. See the Spring Boot documentation (opens new window) for further details.