[[howto.security]] == Security This section addresses questions about security when working with Spring Boot, including questions that arise from using Spring Security with Spring Boot. For more about Spring Security, see the {spring-security}[Spring Security project page]. [[howto.security.switch-off-spring-boot-configuration]] === Switch off the Spring Boot Security Configuration If you define a `@Configuration` with a `WebSecurityConfigurerAdapter` or a `SecurityFilterChain` bean in your application, it switches off the default webapp security settings in Spring Boot. [[howto.security.change-user-details-service-and-add-user-accounts]] === Change the UserDetailsService and Add User Accounts If you provide a `@Bean` of type `AuthenticationManager`, `AuthenticationProvider`, or `UserDetailsService`, the default `@Bean` for `InMemoryUserDetailsManager` is not created. This means you have the full feature set of Spring Security available (such as {spring-security-docs}#servlet-authentication[various authentication options]). The easiest way to add user accounts is to provide your own `UserDetailsService` bean. [[howto.security.enable-https]] === Enable HTTPS When Running behind a Proxy Server Ensuring that all your main endpoints are only available over HTTPS is an important chore for any application. If you use Tomcat as a servlet container, then Spring Boot adds Tomcat's own `RemoteIpValve` automatically if it detects some environment settings, and you should be able to rely on the `HttpServletRequest` to report whether it is secure or not (even downstream of a proxy server that handles the real SSL termination). The standard behavior is determined by the presence or absence of certain request headers (`x-forwarded-for` and `x-forwarded-proto`), whose names are conventional, so it should work with most front-end proxies. You can switch on the valve by adding some entries to `application.properties`, as shown in the following example: [source,yaml,indent=0,subs="verbatim",configprops,configblocks] ---- server: tomcat: remoteip: remote-ip-header: "x-forwarded-for" protocol-header: "x-forwarded-proto" ---- (The presence of either of those properties switches on the valve. Alternatively, you can add the `RemoteIpValve` by customizing the `TomcatServletWebServerFactory` using a `WebServerFactoryCustomizer` bean.) To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration: [source,java,indent=0,subs="verbatim"] ---- include::{docs-java}/howto/security/enablehttps/MySecurityConfig.java[] ----