How Spring’s nohttp Project Eliminates Insecure HTTP URLs

Spring team open‑sourced the nohttp project to locate, replace, and block the use of http:// URLs, aiming to avoid man‑in‑the‑middle attacks.

The project ensures that whenever HTTPS is possible, HTTP is not used, and all Spring URLs—including Maven repository URLs, license links, and documentation—have been updated to HTTPS. In cases where HTTPS cannot be used (e.g., external sites without HTTPS support or XML namespace constraints), the tool still prevents network requests.

Spring Framework now resolves XML schema locations via the classpath, allowing HTTPS URLs without network access.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans
        https://www.springframework.org/schema/beans/spring-beans.xsd">

URL resolution via classpath without network connection

Although XML namespace identifiers cannot be changed to HTTPS, the lack of network requests means little risk to users.

Rob Winch notes that the Spring team has updated all hosts to support HTTPS, enabled redirects, and applied Strict Transport Security.

The nohttp project also rebuilds the build infrastructure and rotates credentials to eliminate potential MITM vulnerabilities.

Project modules

nohttp – core module for searching and replacing http:// URLs.

nohttp-cli – lightweight command‑line wrapper.

nohttp-checkstyle – integration with Checkstyle.

nohttp-gradle – Gradle integration.

samples – example use cases.

For more details, see the GitHub repository:

https://github.com/spring-io/nohttp