Spring nohttp Project: Scanning and Blocking Insecure HTTP URLs

Spring’s open‑source nohttp project was created to locate, replace, and block the use of http:// URLs, thereby eliminating potential man‑in‑the‑middle attacks and ensuring that all resources are accessed securely via HTTPS.

The team updated every URL in Maven repository definitions, Apache License references, and documentation links to use HTTPS, and enforced Strict Transport Security on all sites, guaranteeing automatic redirection to secure connections.

In cases where HTTPS is unavailable—such as external sites lacking HTTPS support or XML namespace identifiers that must remain unchanged—the project resolves URLs via the classpath, avoiding network calls while maintaining functionality.

To reinforce security, Spring rebuilt its build infrastructure, rotated all credentials, and introduced the nohttp library to block HTTP traffic at build time, protecting both developers and end users.

The nohttp library consists of several modules:

nohttp – core library for finding and replacing http:// URLs

nohttp‑cli – lightweight command‑line wrapper

nohttp‑checkstyle – integration with Checkstyle

nohttp‑gradle – Gradle plugin integration

samples – example use cases

Example XML configuration used by the project:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">

The project’s source code and further documentation are available at https://github.com/spring-io/nohttp .