Documentation

You are viewing the documentation for the 2.6.0 release in the 2.6.x series of releases. The latest stable release series is 3.0.x.

§Redirect HTTPS Filter

Play provides a filter which will redirect all HTTP requests to HTTPS automatically.

§Enabling the HTTPS filter

To enable the filter, add it to play.filters.enabled:

play.filters.enabled += play.filters.https.RedirectHttpsFilter

§Determining Secure Requests

The filter evaluates a request to be secure if request.secure is true.

This logic is set by the trusted proxies configured for Play’s HTTP engine. Internally, play.core.server.common.ForwardedHeaderHandler and play.api.mvc.request.RemoteConnection determine between them whether an incoming request meets the criteria to be “secure”, meaning that the request has gone through HTTPS at some point.

A request that is not secure is redirected according to the redirect code determined through configuration.

§Strict Transport Security

The Strict Transport Security header is used to indicate when HTTPS should always be used, and is added to a secure request.

This header is only enabled in production, since HSTS can cause problems in development by forcing the browser to always assume https://localhost:9000 for the application – this is especially an issue when working with multiple projects.

The default is “max-age=31536000; includeSubDomains”, and can be set explicitly by adding the following to application.conf:

play.filters.https.strictTransportSecurity="max-age=31536000; includeSubDomains"

§Redirect code

The filter redirects using HTTP code 308, which is a permanent redirect that does not change the HTTP method according to RFC 7238. This will work with the vast majority of browsers, but you can change the redirect code if working with older browsers:

play.filters.https.redirectStatusCode = 301

§Custom HTTPS Port

If the HTTPS server is on a custom port, then the redirect URL needs to be aware of it. If the port is specified:

play.filters.https.port = 9443

then the URL in the Location header will include the port specifically, e.g. https://playframework.com:9443/some/url

Next: Extending Play with modules