alopresto commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r250031372
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##########
@@ -602,6 +599,28 @@ private WebAppContext loadWar(final File warFile, final
String contextPath, fina
return webappContext;
}
+ private void addHTTPHeaders(WebAppContext webappContext) {
+ // Add a filter to set the X-Frame-Options header
+ FilterHolder xfoFilter = new FilterHolder(new XFrameOptionsFilter());
+ xfoFilter.setName(XFrameOptionsFilter.class.getSimpleName());
+ webappContext.addFilter(xfoFilter, "/*",
EnumSet.allOf(DispatcherType.class));
+
+ // Add a filter to set the Content Security Policy frame-ancestors
directive
+ FilterHolder cspFilter = new FilterHolder(new
ContentSecurityPolicyFilter());
+ cspFilter.setName(ContentSecurityPolicyFilter.class.getSimpleName());
+ webappContext.addFilter(cspFilter, "/*",
EnumSet.allOf(DispatcherType.class));
+
+ // Add a filter to set the HSTS header
Review comment:
One more thought, and I don't know the answer on this. I like the separation
of concerns where each `Filter` implementation has a specific role. However, in
each case, it's just adding an HTTP header to the response. Do we have any idea
of the performance impact of chaining four distinct filter implementations to
do this, rather than just using a single filter which adds all 4 headers?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
