Spring nohttp Project: Blocking HTTP URLs and Enhancing Security

Spring team open‑sourced the nohttp project to locate, replace, and block the use of http:// URLs, ensuring that HTTPS is used wherever possible to avoid man‑in‑the‑middle attacks.

Rob Winch, lead of Spring Security, Session and LDAP, stated that the team has updated all URLs—including Maven repository URLs, Apache License links, and documentation—to use HTTPS, and has rotated credentials and rebuilt the build infrastructure.

In some cases HTTPS cannot be used (e.g., certain Spring sites do not support it or XML namespace identifiers must match), but the framework now resolves HTTPS locations from the classpath without network access.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        https://www.springframework.org/schema/beans/spring-beans.xsd">

The above XML demonstrates a class‑path‑resolved schema URL that does not require a network request.

The nohttp library consists of several modules:

nohttp – core module for finding and replacing http:// URLs.

nohttp-cli – lightweight command‑line wrapper.

nohttp-checkstyle – integration with Checkstyle.

nohttp-gradle – integration with Gradle.

samples – example use cases.

For more details, see the project page at https://github.com/spring-io/nohttp .

Additionally, the article promotes a free Alibaba Cloud server offer (1‑year, 1‑core 2 GB or 2‑core 2 GB, up to 1500 units, valued at 90,000 CNY) and advertises a 7701‑page PDF of large‑tech‑company interview questions.