78.3 Enable HTTPS when running behind a proxy server
Ensuring that all your main endpoints are only available over HTTPS is an important chore for any application. If you are using Tomcat as a servlet container, then Spring Boot will add Tomcat’s own RemoteIpValve
automatically if it detects some environment settings, and you should be able to rely on the HttpServletRequest
to report whether it is secure or not (even downstream of a proxy server that handles the real SSL termination). The standard behavior is determined by the presence or absence of certain request headers (x-forwarded-for
and x-forwarded-proto
), whose names are conventional, so it should work with most front end proxies. You can switch on the valve by adding some entries to application.properties
, e.g.
server.tomcat.remote_ip_header=x-forwarded-for server.tomcat.protocol_header=x-forwarded-proto
(The presence of either of those properties will switch on the valve. Or you can add the RemoteIpValve
yourself by adding a TomcatEmbeddedServletContainerFactory
bean.)
Spring Security can also be configured to require a secure channel for all (or some requests). To switch that on in a Spring Boot application you just need to set security.require_ssl
to true
in application.properties
.