diff --git a/drawings/spring-security-ServerHttpSecurity.puml b/drawings/spring-security-ServerHttpSecurity.puml
new file mode 100644
index 0000000..9ea87f1
--- /dev/null
+++ b/drawings/spring-security-ServerHttpSecurity.puml
@@ -0,0 +1,154 @@
+@startuml spring-security-ServerHttpSecurity
+skinparam Shadowing false
+skinparam class { 
+    BackgroundColor White
+}
+hide empty members
+
+class ServerHttpSecurity {
+    + ServerHttpSecurity addFilterAt(WebFilter webFilter, SecurityWebFilterOrder order)
+    + ServerHttpSecurity addFilterBefore(WebFilter webFilter, SecurityWebFilterOrder order)
+    + ServerHttpSecurity addFilterAfter(WebFilter webFilter, SecurityWebFilterOrder order)
+    + Csrf csrf()
+    + Cors cors()
+    + AnonymousSpec anonymous()
+    + HttpBasicSpec httpBasic()
+    + PasswordManagementSpec passwordManagement()
+    + FormLoginSpec formLogin()
+    + X509Spec x509()
+    + OAuth2LoginSpec oauth2Login()
+    + OAuth2ClientSpec oauth2Client()
+    + OAuth2ResourceServerSpec oauth2ResourceServer()
+    + HeaderSpec header()
+    + ExceptionHandlingSpec exceptionHandling()
+    + AuthorizeExchangeSpec authorizeExchange()
+    + LogoutSpec logout()
+    + RequestCacheSpec requestCache()
+    + ServerHttpSecurity authenticationManager(ReactiveAuthenticationManager manager)
+}
+
+class AuthorizeExchangeSpec {
+    + ServerHttpSecurity and()
+    + Access anyExchange()
+}
+
+class Access {
+    + AuthorizeExchangeSpec permitAll()
+    + AuthorizeExchangeSpec denyAll()
+    + AuthorizeExchangeSpec hasRole(String role)
+    + AuthorizeExchangeSpec hasAnyRole(String... roles)
+    + AuthorizeExchangeSpec hasAuthority(String authority)
+    + AuthorizeExchangeSpec hasAnyAuthority(String... authorities)
+    + AuthorizeExchangeSpec authenticated()
+    + AuthorizeExchangeSpec access(ReactiveAuthenticationManager<AuthorizationContext> manager)
+}
+
+abstract AbstractServerWebExchangeMatcherRegistry<T> {
+    + T anyExchange()
+    + T pathMatchers(HttpMethod method)
+    + T pathMatchers(HttpMethod method, String... paths)
+    + T pathMatchers(String... paths)
+    + T matchers(ServerWebExchangeMatcher... matchers)
+}
+
+class HttpBasicSpec {
+    + HttpBasicSpec authenticationManager(ReactiveAuthenticationManager manager)
+    + HttpBasicSpec securityContextRepository(ServerSecurityContentsRepository repository)
+    + HttpBasicSpec authenticationEntryPoint(ServerAuthenticationEntryPoint entryPoint)
+    + ServerHttpSecurity and()
+    + ServerHttpSecurity disable()
+}
+
+class PasswordManagementSpec {
+    + PasswordManagementSpec changePasswordPage(String path)
+    + ServerHttpSecurity and()
+}
+
+class FormLoginSpec {
+    + FormLoginSpec authenticationManager(ReactiveAuthenticationManager manager)
+    + FormLoginSpec authenticationSuccessHandler(ServerAuthenticationSuccessHandler handler)
+    + FormLoginSpec LoginPage(String path)
+    + FormLoginSpec authenticationEntryPoint(ServerAuthenticationEntryPoint entryPoint)
+    + FormLoginSpec requiresAuthenticationMatcher(ServerWebExchangeMatcher matcher)
+    + FormLoginSpec authenticationFailureHandler(ServerAuthenticationFailureHandler handler)
+    + FormLoginSpec securityContextRepository(ServerSecurityContextRepository repository)
+    + ServerHttpSecurity and()
+    + ServerHttpSecurity disable()
+}
+
+class AnonymousSpec {
+    + AnonymousSpec key(String name)
+    + AnonymousSpec principal(Object principal)
+    + AnonymousSpec authorities(List<GrantedAuthority> authorities)
+    + AnonymousSpec authorities(Stirng... authorities)
+    + AnonymousSpec authenticationFilter(AnonymousAuthenticationWebFilter filter)
+    + ServerHttpSecurity and()
+    + ServerHttpSecurity disable()
+}
+
+class HeaderSpec {
+    + ServerHttpSecurity and()
+    + CacheSpec cache()
+    + ContentTypeOptionsSpec contentTypeOptions()
+    + FrameOptionsSpec frameOptions()
+    + HeaderSpec writer(ServerHttpHeadersWriter writer)
+    + HstsSpec hsts()
+    + XssProtectionSpec xssProtection()
+    + ContentSecurityPolicySpec contentSecurityPolicy(String policy)
+    + PermissionPolicySpec permissionPolicy()
+    + RefererPolicySpec refererPolicy()
+}
+
+class CacheSpec {
+    + HeaderSpec disable()
+}
+
+class ContentTypeOptionsSpec {
+    + HeaderSpec disable()
+}
+
+class HstsSpec {
+    + HstsSpec maxAge(Duration duration)
+    + HstsSpec includeSubdomains(boolean include)
+    + HstsSpec preload(boolean preload)
+    + HeaderSpec and()
+    + HeaderSpec disable()
+}
+
+class XssProtectionSpec {
+    + HeaderSpec disable()
+}
+
+class ContentSecurityPolicySpec {
+    + HeaderSpec reportOnly(boolean report)
+    + HeaderSpec policyDirectives(String policyDirective)
+    + HeaderSpec and()
+}
+
+class PermissionPolicySpec {
+    + PermissionPolicySpec policy(String policy)
+    + HeaderSpec and()
+}
+
+class RefererPolicySpec {
+    + RefererPolicySpec policy(RefererPolicy policy)
+    + HeaderSpec and()
+}
+
+ServerHttpSecurity +-- AuthorizeExchangeSpec
+AbstractServerWebExchangeMatcherRegistry <- AuthorizeExchangeSpec
+AuthorizeExchangeSpec +-- Access
+ServerHttpSecurity +-- HttpBasicSpec
+PasswordManagementSpec -+ ServerHttpSecurity
+ServerHttpSecurity +--- FormLoginSpec
+ServerHttpSecurity +- AnonymousSpec
+HeaderSpec --+ ServerHttpSecurity
+CacheSpec --+ HeaderSpec
+ContentTypeOptionsSpec --+ HeaderSpec
+HstsSpec -+ HeaderSpec
+XssProtectionSpec --+ HeaderSpec
+HeaderSpec -+ ContentSecurityPolicySpec
+PermissionPolicySpec --+ HeaderSpec
+RefererPolicySpec --+ HeaderSpec
+
+@enduml
\ No newline at end of file