HTTP Reference

This document explains various HTTP features that you can use in Quarkus.

HTTP is provided using Eclipse Vert.x as the base HTTP layer. Servlet’s are supported using a modified version of Undertow that runs on top of Vert.x, and RESTEasy is used to provide JAX-RS support. If Undertow is present RESTEasy will run as a Servlet filter, otherwise it will run directly on top of Vert.x with no Servlet involvement.

1. Serving Static Resources

To serve static resources you must place them in the META-INF/resources directory of your application. This location was chosen as it is the standard location for resources in jar files as defined by the Servlet spec. Even though Quarkus can be used without Servlet following this convention allows existing code that places its resources in this location to function correctly.

1.1. WebJar Locator Support

If you are using webjars, like the following JQuery one:


and rather write /webjars/jquery/jquery.min.js instead of /webjars/jquery/3.1.1/jquery.min.js in your HTML files, you can add the quarkus-webjars-locator extension to your project. To use it, add the following to your project’s dependencies:


1.2. HTTP Compression

The response body of a static resource is not compressed by default. You can enable the HTTP compression support by means of quarkus.http.enable-compression=true. If compression support is enabled then the response body is compressed if the Content-Type header derived from the file name of a resource is a compressed media type as configured via quarkus.http.compress-media-types.

By default, the following list of media types is compressed: text/html, text/plain, text/xml, text/css, text/javascript and application/javascript.
If the client does not support HTTP compression then the response body is not compressed.

2. Configuring the Context path

By default Quarkus will serve content from under the root context. If you want to change this you can use the quarkus.http.root-path config key to set the context path.

If you are using Servlet you can control the Servlet context path via quarkus.servlet.context-path. This item is relative to the http root above, and will only affect Servlet and things that run on top of Servlet. Most applications will want to use the HTTP root as this affects everything that Quarkus serves.

If both are specified then all non-Servlet web endpoints will be relative to quarkus.http.root-path, while Servlet’s will be served relative to {quarkus.http.root-path}/{quarkus.servlet.context-path}.

If REST Assured is used for testing and quarkus.http.root-path is set then Quarkus will automatically configure the base URL for use in Quarkus tests, so test URL’s should not include the root path.

In general, path configurations for web content are interpreted relative to quarkus.http.root-path (which is / by default).

  • To specify paths within this context root, use a relative path that does not begin with a forward slash.

  • If you want to specify the URI explicitly, so it is always the same regardless of the value of quarkus.http.root-path, use an absolute path that begins with a forward slash.

As an example, if an extension configures a service path, that endpoint will be served from ${quarkus.http.root-path}/service. If you change the configuration of that path to /service, that endpoint will be served from /service.

The Path Resolution in Quarkus blog post further explains how path resolution works for both user and extension defined paths.

3. Supporting secure connections with SSL

In order to have Quarkus support secure connections, you must either provide a certificate and associated key file, or supply a keystore.

In both cases, a password must be provided. See the designated paragraph for a detailed description of how to provide it.

To enable SSL support with native executables, please refer to our Using SSL With Native Executables guide.

3.1. Providing a certificate and key file

If the certificate has not been loaded into a keystore, it can be provided directly using the properties listed below. Quarkus will first try to load the given files as resources, and uses the filesystem as a fallback. The certificate / key pair will be loaded into a newly created keystore on startup.

Your would then look like this:


3.2. Providing a keystore

An alternate solution is to directly provide a keystore which already contains a default entry with a certificate You will need to at least provide the file and a password.

As with the certificate/key file combination, Quarkus will first try to resolve the given path as a resource, before attempting to read it from the filesystem.

Add the following property to your


As an optional hint, the type of keystore can be provided as one of the options listed. If the type is not provided, Quarkus will try to deduce it from the file extensions, defaulting to type JKS.

quarkus.http.ssl.certificate.key-store-file-type=[one of JKS, JCEKS, P12, PKCS12, PFX]

3.3. Setting the password

In both aforementioned scenarios, a password needs to be provided to create/load the keystore with. The password can be set in your (in plain-text) using the following property:


However, instead of providing the password as plain-text in the configuration file (which is considered bad practice), it can instead be supplied (using MicroProfile Config) as the environment variable QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_PASSWORD. This will also work in tandem with Kubernetes secrets.

Note: in order to remain compatible with earlier versions of Quarkus (before 0.16) the default password is set to "password". It is therefore not a mandatory parameter!

3.4. Disable the HTTP port

It is possible to disable the HTTP port and only support secure requests. This is done via the quarkus.http.insecure-requests property in There are three possible values:


The default, HTTP works as normal


HTTP requests will be redirected to the HTTPS port


The HTTP port will not be opened.

if you use redirect or disabled and have not added a SSL certificate or keystore, your server will not start!

4. Additional HTTP Headers

To enable HTTP headers to be sent on every response, add the following properties:


This will include the X-Content-Type-Options: nosniff HTTP Header on responses for requests performed on any resource in the application.

You can also specify a path pattern and the HTTP methods the header needs to be applied:


This will apply the Pragma header only when the /headers/pragma resource is called with a GET or a HEAD method

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property



The path this header should be applied



The value for this header configuration



The HTTP methods for this header configuration

list of string

4.1. Additional HTTP Headers per path

If you need different header values depending on the path, you can use the following configuration:


This will set the Cache-Control header to none when /index.html is called.

The index after quarkus.http.filter in the key is used for grouping and (as an example) can be named as you like.

You can use a regular expression in the path and also specify the HTTP methods where the HTTP header will be set:


In case of overlapping paths in the configuration, you can specify an order (higher values take precedence). For example, having the following configuration:



Will include the Cache-Control: max-age=1 header when /paths/order is requested.

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property



A regular expression for the paths matching this configuration



Additional HTTP Headers always sent in the response


The HTTP methods for this path configuration

list of string


5. HTTP/2 Support

HTTP/2 is enabled by default, and will be used by browsers if SSL is in use on JDK11 or higher. JDK8 does not support ALPN so cannot be used to run HTTP/2 over SSL. Even if SSL is not in use HTTP/2 via cleartext upgrade is supported, and may be used by non-browser clients.

If you want to disable HTTP/2 you can set:


6. Listening on a Random Port

If you don’t want to specify a port you can set quarkus.http.port=0 or quarkus.http.test-port=0. A random open port will be picked by the OS, and a log message printed in the console. When the port is bound the quarkus.http.port system property will be set to the actual port that was selected, so you can use this to get the actual port number from inside the application. If you are in a test you can inject the URL normally and this will be configured with the actual port, and REST Assured will also be configured appropriately.

As this sets a system property you can access quarkus.http.port via MicroProfile Config, however if you use injection the injected value may not always be correct. This port allocation is one of the last things to happen in Quarkus startup, so if your object that is being injected is created eagerly before the port has opened the injected value will not be correct.

7. CORS filter

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.

Quarkus comes with a CORS filter which implements the javax.servlet.Filter interface and intercepts all incoming HTTP requests. It can be enabled in the Quarkus configuration file, src/main/resources/


If the filter is enabled and an HTTP request is identified as cross-origin, the CORS policy and headers defined using the following properties will be applied before passing the request on to its actual target (servlet, JAX-RS resource, etc.):

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property



Origins allowed for CORS Comma separated list of valid URLs, e.g.:,http://localhost:3000 In case an entry of the list is surrounded by forward slashes, it is interpreted as a regular expression. The filter allows any origin if this is not set. default: returns any requested origin as valid

list of string

HTTP methods allowed for CORS Comma separated list of valid methods. ex: GET,PUT,POST The filter allows any method if this is not set. default: returns any requested method as valid

list of string

HTTP headers allowed for CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition The filter allows any header if this is not set. default: returns any requested header as valid

list of string

HTTP headers exposed in CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition default: empty

list of string

The Access-Control-Max-Age response header value indicating how long the results of a pre-flight request can be cached.


The Access-Control-Allow-Credentials header is used to tell the browsers to expose the response to front-end JavaScript code when the request’s credentials mode Request.credentials is “include”. The value of this header will default to true if property is set and there is a match with the precise Origin header and that header is not '*'.


About the Duration format

The format for durations uses the standard java.time.Duration format. You can learn more about it in the Duration#parse() javadoc.

You can also provide duration values starting with a number. In this case, if the value consists only of a number, the converter treats the value as seconds. Otherwise, PT is implicitly prepended to the value to obtain a standard java.time.Duration format.

Here’s what a full CORS filter configuration could look like, including a regular expression defining an allowed origin:


8. HTTP Limits Configuration

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property



The maximum length of all headers.



The maximum size of a request body.



The max HTTP chunk size



The maximum length of the initial line (e.g. "GET / HTTP/1.0").



The maximum length of a form attribute.



The maximum number of connections that are allowed at any one time. If this is set it is recommended to set a short idle timeout.


About the MemorySize format

A size configuration option recognises string in this format (shown as a regular expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes.

9. Configuring HTTP Access Logs

You can add HTTP request logging by configuring it in There are two options for logging, either logging to the standard JBoss logging output, or logging to a dedicated file.

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property



If access logging is enabled. By default this will log via the standard logging facility



A regular expression that can be used to exclude some paths from logging.


The access log pattern.

If this is the string common, combined or long then this will use one of the specified named formats:

  • common: %h %l %u %t "%r" %s %b

  • combined: %h %l %u %t "%r" %s %b "%{i,Referer}" "%{i,User-Agent}"

  • long: %r\n%{ALL_REQUEST_HEADERS}

Otherwise consult the Quarkus documentation for the full list of variables that can be used.



If logging should be done to a separate file.



The access log file base name, defaults to 'quarkus' which will give a log file name of 'quarkus.log'.



The log directory to use when logging access to a file If this is not set then the current working directory is used.




The log category to use if logging is being done via the standard log mechanism (i.e. if base-file-name is empty).



If the log should be rotated daily



Attribute Short Form Long Form

Remote IP address



Local IP address



Bytes sent, excluding HTTP headers, or '-' if no bytes were sent


Bytes sent, excluding HTTP headers



Remote host name



Request protocol



Request method



Local port



Query string (prepended with a '?' if it exists, otherwise an empty string)



First line of the request



HTTP status code of the response



Date and time, in Common Log Format format



Remote user that was authenticated



Requested URL path



Request relative path



Local server name



Time taken to process the request, in millis



Time taken to process the request, in seconds


Time taken to process the request, in micros


Time taken to process the request, in nanos


Current request thread name



SSL cypher


SSL client certificate


SSL session id


All request headers


Cookie value


Query parameter


Request header


Response header


10. Running behind a reverse proxy

Quarkus could be accessed through proxies that additionally generate headers (e.g. X-Forwarded-Host) to keep information from the client-facing side of the proxy servers that is altered or lost when they are involved. In those scenarios, Quarkus can be configured to automatically update information like protocol, host, port and URI reflecting the values in these headers.

Activating this feature leaves the server exposed to several security issues (i.e. information spoofing). Consider activate it only when running behind a reverse proxy.

To setup this feature, please include the following lines in src/main/resources/


To consider only de-facto standard header (Forwarded header), please include the following lines in src/main/resources/


To consider only non-standard headers, please include the following lines instead in src/main/resources/


Both configurations related to standard and non-standard headers can be combined, although the standard headers configuration will have precedence.

Supported forwarding address headers are:

  • Forwarded

  • X-Forwarded-Proto

  • X-Forwarded-Host

  • X-Forwarded-Port

  • X-Forwarded-Ssl

  • X-Forwarded-Prefix

One can easily add a SameSite cookie property to any of the cookies set by a Quarkus endpoint by listing a cookie name and a SameSite attribute, for example:


Given this configuration, the jwt cookie will have a SameSite=Lax attribute and the session cookie will have a SameSite=Strict attribute.

12. Servlet Config

To use Servlet you need to explicitly include quarkus-undertow:


12.1. undertow-handlers.conf

You can make use of the Undertow predicate language using an undertow-handlers.conf file. This file should be placed in the META-INF directory of your application jar. This file contains handlers defined using the Undertow predicate language.

12.2. web.xml

If you are using a web.xml file as your configuration file, you can place it in the src/main/resources/META-INF directory.