Skip to content

Commit

Permalink
Merge branch '6.1.x'
Browse files Browse the repository at this point in the history
  • Loading branch information
marcusdacoregio committed Nov 7, 2023
2 parents 77acaaa + 148e9e5 commit 9eee988
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
6 changes: 3 additions & 3 deletions docs/modules/ROOT/pages/features/exploits/headers.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -114,12 +114,12 @@ X-Content-Type-Options: nosniff
Refer to the relevant sections to see how to customize the defaults for both xref:servlet/exploits/headers.adoc#servlet-headers-hsts[servlet] and xref:reactive/exploits/headers.adoc#webflux-headers-hsts[webflux] based applications.
====

When you type in your bank's website, do you enter `mybank.example.com` or do you enter `https://mybank.example.com`?
When you type in your bank's website, do you enter `mybank.example.com` or do you enter `\https://mybank.example.com`?
If you omit the `https` protocol, you are potentially vulnerable to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man-in-the-Middle attacks].
Even if the website performs a redirect to https://mybank.example.com, a malicious user could intercept the initial HTTP request and manipulate the response (for example, redirect to https://mibank.example.com and steal their credentials).
Even if the website performs a redirect to `\https://mybank.example.com`, a malicious user could intercept the initial HTTP request and manipulate the response (for example, redirect to `\https://mibank.example.com` and steal their credentials).

Many users omit the `https` protocol, and this is why https://tools.ietf.org/html/rfc6797[HTTP Strict Transport Security (HSTS)] was created.
Once `mybank.example.com` is added as a https://tools.ietf.org/html/rfc6797#section-5.1[HSTS host], a browser can know ahead of time that any request to mybank.example.com should be interpreted as https://mybank.example.com.
Once `mybank.example.com` is added as a https://tools.ietf.org/html/rfc6797#section-5.1[HSTS host], a browser can know ahead of time that any request to mybank.example.com should be interpreted as `\https://mybank.example.com`.
This greatly reduces the possibility of a Man-in-the-Middle attack occurring.

[NOTE]
Expand Down
4 changes: 2 additions & 2 deletions docs/modules/ROOT/pages/features/exploits/http.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ Spring Security provides support for xref:features/exploits/headers.adoc#headers
== Proxy Server Configuration

When using a proxy server, it is important to ensure that you have configured your application properly.
For example, many applications have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.0.107
Without proper configuration, the application server can not know that the load balancer exists and treats the request as though https://192.168.0.107:8080 was requested by the client.
For example, many applications have a load balancer that responds to request for `\https://example.com/` by forwarding the request to an application server at `\https://192.168.0.107`
Without proper configuration, the application server can not know that the load balancer exists and treats the request as though `\https://192.168.0.107:8080` was requested by the client.

To fix this, you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
To make the application aware of this, you need to configure your application server to be aware of the X-Forwarded headers.
Expand Down

0 comments on commit 9eee988

Please sign in to comment.