spring-security/docs/modules/ROOT/pages/reactive/exploits/http.adoc

[[webflux-http]]
= HTTP

All HTTP based communication should be protected <<http,using TLS>>.

Below you can find details around WebFlux specific features that assist with HTTPS usage.

[[webflux-http-redirect]]
== Redirect to HTTPS

If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.

For example, the following Java configuration will redirect any HTTP requests to HTTPS:

.Redirect to HTTPS
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(withDefaults());
	return http.build();
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps { }
    }
}
----
====

The configuration can easily be wrapped around an if statement to only be turned on in production.
Alternatively, it can be enabled by looking for a property about the request that only happens in production.
For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:

.Redirect to HTTPS when X-Forwarded
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		// ...
		.redirectToHttps(redirect -> redirect
			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
		);
	return http.build();
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        // ...
        redirectToHttps {
            httpsRedirectWhen {
                it.request.headers.containsKey("X-Forwarded-Proto")
            }
        }
    }
}
----
====

[[webflux-hsts]]
== Strict Transport Security

Spring Security provides support for <<servlet-headers-hsts,Strict Transport Security>> and enables it by default.

[[webflux-http-proxy-server]]
== Proxy Server Configuration

Spring Security <<http-proxy-server,integrates with proxy servers>>.
Extract HTTPS Documentation Fixes gh-7626 2019-11-26 05:49:51 +08:00			`[[webflux-http]]`
			`= HTTP`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00
Extract HTTPS Documentation Fixes gh-7626 2019-11-26 05:49:51 +08:00			`All HTTP based communication should be protected <<http,using TLS>>.`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00
Extract HTTPS Documentation Fixes gh-7626 2019-11-26 05:49:51 +08:00			`Below you can find details around WebFlux specific features that assist with HTTPS usage.`

			`[[webflux-http-redirect]]`
			`== Redirect to HTTPS`

			`If a client makes a request using HTTP rather than HTTPS, Spring Security can be configured to redirect to HTTPS.`

			`For example, the following Java configuration will redirect any HTTP requests to HTTPS:`

			`.Redirect to HTTPS`
			`====`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 20:43:23 +08:00			`.Java`
			`[source,java,role="primary"]`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00			`----`
			`@Bean`
Remove exceptions from lambda security configuration Fixes: gh-7128 2019-07-25 00:15:32 +08:00			`SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00			`http`
			`// ...`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 21:31:10 +08:00			`.redirectToHttps(withDefaults());`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00			`return http.build();`
			`}`
			`----`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 20:43:23 +08:00
			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {`
			`return http {`
			`// ...`
			`redirectToHttps { }`
			`}`
			`}`
			`----`
Extract HTTPS Documentation Fixes gh-7626 2019-11-26 05:49:51 +08:00			`====`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00
			`The configuration can easily be wrapped around an if statement to only be turned on in production.`
			`Alternatively, it can be enabled by looking for a property about the request that only happens in production.`
			For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:

Extract HTTPS Documentation Fixes gh-7626 2019-11-26 05:49:51 +08:00			`.Redirect to HTTPS when X-Forwarded`
			`====`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 20:43:23 +08:00			`.Java`
			`[source,java,role="primary"]`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00			`----`
			`@Bean`
Remove exceptions from lambda security configuration Fixes: gh-7128 2019-07-25 00:15:32 +08:00			`SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00			`http`
			`// ...`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 20:10:36 +08:00			`.redirectToHttps(redirect -> redirect`
			`.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 21:31:10 +08:00			`);`
Add WebFlux Redirect to HTTPS Reference Fixes: gh-5869 2018-09-19 10:12:37 +08:00			`return http.build();`
			`}`
			`----`
Add reactive HTTP exploit samples Issue gh-8172 2020-09-18 20:43:23 +08:00
			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {`
			`return http {`
			`// ...`
			`redirectToHttps {`
			`httpsRedirectWhen {`
			`it.request.headers.containsKey("X-Forwarded-Proto")`
			`}`
			`}`
			`}`
			`}`
			`----`
Extract HTTPS Documentation Fixes gh-7626 2019-11-26 05:49:51 +08:00			`====`

			`[[webflux-hsts]]`
			`== Strict Transport Security`

			`Spring Security provides support for <<servlet-headers-hsts,Strict Transport Security>> and enables it by default.`

			`[[webflux-http-proxy-server]]`
			`== Proxy Server Configuration`

Fix Asciidoctor Warnings Closes gh-7973 2020-02-11 00:47:21 +08:00			`Spring Security <<http-proxy-server,integrates with proxy servers>>.`