exceptionfactory opened a new pull request, #8136: URL: https://github.com/apache/nifi/pull/8136
# Summary [NIFI-12487](https://issues.apache.org/jira/browse/NIFI-12487) Adds Cross-Site Request Forgery protection to NiFi Registry using the Spring Security CSRF Filter and several components that follow the same approach currently implemented for NiFi CSRF protection. NiFi Registry does not use cookies for passing Application Bearer Tokens, and instead relies on the HTTP Authorization header to be populated using a custom JavaScript request interceptor. This approach mitigates a number of potential threats. Introducing the CSRF Filter provides an additional layer of protection. Following a strategy similar to NiFi, the CSRF Request Matcher is based on the default Spring Security HTTP Method matching plus the presence of the Request Token cookie. This enables programmatic clients to continue working without reconfiguration, while requiring browser-based clients to pass the `Request-Token` header, as implemented through updates to the JavaScript request interceptor. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000` - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000` ### Pull Request Formatting - [X] Pull Request based on current revision of the `main` branch - [X] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [X] Build completed using `mvn clean install -P contrib-check` - [X] JDK 21 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
