Spring Team Open Sources NoHTTP to Minimize HTTP Usage

The Spring team has open-sourced the nohttp project to find, replace, and block the use of http://.

The project aims to avoid using http:// whenever possible in favor of https://, ensuring that man-in-the-middle attacks do not occur.

Spring Team Open Sources NoHTTP to Minimize HTTP Usage

ROB WINCH, the project lead for Spring Security, Session, and LDAP, pointed out that the Spring team is making every effort to update all URLs to use HTTPS, including project Maven repository URLs, Apache License, and documentation links.

Spring Team Open Sources NoHTTP to Minimize HTTP UsageSpring Team Open Sources NoHTTP to Minimize HTTP Usage

However, there are cases where HTTPS cannot be used, such as when certain sites linked by Spring do not support HTTPS, or when XML namespace identifiers must match those in the document.

The Spring Framework has now been updated to resolve XML locations using HTTPS locations via the classpath. Previously, this only applied to URLs using HTTP.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
        https://www.springframework.org/schema/beans/spring-beans.xsd">

The above https://www.springframework.org/schema/beans/spring-beans.xsd

URLs are resolved through the classpath without requiring a network connection.

In this case, the XML namespace name (identifier) cannot be changed to use HTTPS. From a security control perspective, this is not ideal, but since it does not involve network requests, it poses almost no harm to users.

On the other hand, ROB stated that the Spring team has updated all hosts to ensure the use of HTTPS, with each site supporting HTTPS, redirecting to HTTPS, and using Strict Transport Security.

If you are preparing for an interview soon, it is recommended to practice online at ddkk.com, which covers over 10,000 Java interview questions, almost covering all mainstream technical interview questions, along with the most comprehensive 500 sets of technical materials and premium series tutorials, provided for free.

Previously potential man-in-the-middle attacks meant that the infrastructure could have been compromised, which is why Spring rebuilt all build infrastructure and rotated all credentials.

These security measures are crucial, but ROB emphasized that having security controls in place is also important to ensure that issues do not recur. Thus, the team updated the build box to block HTTP traffic while creating the nohttp project to protect developers and users.

nohttp can be used to find, replace, and block the use of http://

The project repository includes several major modules:

nohttp – Core, allows finding and replacing http:// URLs

nohttp-cli – Lightweight nohttp wrapper for command-line execution

nohttp-checkstyle – nohttp integrated with checkstyle

nohttp-gradle – nohttp integrated with Gradle

samples – Some nohttp use cases

For more details, see the project introduction:

https://github.com/spring-io/nohttp

Related links:

blog.csdn.net/ybulingbuling/article/details/99682361

Spring Team Open Sources NoHTTP to Minimize HTTP UsageEND

Related articles:

  • Practical Guide for Ordinary People to Get Started with Deepseek

  • Recent Hot AI Agents, Full Analysis of Operating Principles

  • Top Ten Secrets of System Performance Optimization Kept for Years (Ten Thousand Words of Content)

  • General Architectural Design Principles for Complex Business Systems

  • Exploration of Core Principles for High Availability and High Performance, Comprehensive Summary of Kafka

  • Common Solutions for Service Interface Optimization Practical Summary

  • Discussing Eight Asynchronous Implementation Methods Under Distributed Services

  • Have you ever had a moment of “job anxiety”?
  • Analysis of Compensation Mechanism Design Issues in Distributed Systems
  • Discussing the Design and Practice of Distributed Logging Systems
  • Executing a DEL can actually block Redis? A deeper dive reveals it’s not simple
  • How does PHP’s array flexibly support multiple data types?
  • A Comprehensive Look at the Implementation Principles of MySQL Transaction ACID Four Characteristics

  • Rebuilding tables using alter table, colleagues exclaimed it was eye-opening

  • Intern’s question: Why should we add indexes to fields that need sorting?

  • Code refactoring using the Chain of Responsibility design pattern

Focusing on architectural technology research, let’s overcome career bottlenecks together!Follow our public account for free learning materials

If you find this useful, feel free to follow and share~

Spring Team Open Sources NoHTTP to Minimize HTTP Usage

Related posts

  1. Stop Using curl! httpie Teaches You to Make Smoother HTTP Requests
  2. Multi-MCP: Integrating Multiple MCP Servers into One
  3. What Are the Differences Between CNC and PLC?
  4. Introduction to Wigner Distribution and Quantum Entanglement Research
  5. An Introduction to TCP/IP: Understanding HTTP
  6. Update: MultiTTS Desktop Reading Plugin v1.2, Powerful Browser TTS Text-to-Speech Extension
  7. The ‘Mind Reading’ of Robots
  8. Stop Using the Antiquated HTTP/1, Upgrade to HTTP/2 with These Two Steps
  9. Can HTTP/2 + SSE Completely Replace WebSocket?
  10. HTTP/3 Released!
  11. Comic | The Messy State of Linux Kernel Code Due to C Language Usage
  12. Advanced Programming in VxWorks
  13. C Language Programming Tips and Advice from a Google Expert
  14. Key Considerations for Oscilloscope Verification and Debugging
  15. Pronunciation Rules of the Consonant Letter C
  16. Essential Linux: Mastering Fourteen Basic Commands!
  17. Low-Latency Live Streaming Sound Card Solution Supporting Real-Time Audio DSP Processing
  18. How to Learn Embedded Systems? Steps for Learning Embedded Linux.
  19. DNS Forwarding with OpenWrt

Leave a Comment