alopresto commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security … URL: https://github.com/apache/nifi/pull/3273#discussion_r250029252
########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java ########## @@ -602,6 +599,28 @@ private WebAppContext loadWar(final File warFile, final String contextPath, fina return webappContext; } + private void addHTTPHeaders(WebAppContext webappContext) { + // Add a filter to set the X-Frame-Options header + FilterHolder xfoFilter = new FilterHolder(new XFrameOptionsFilter()); + xfoFilter.setName(XFrameOptionsFilter.class.getSimpleName()); + webappContext.addFilter(xfoFilter, "/*", EnumSet.allOf(DispatcherType.class)); + + // Add a filter to set the Content Security Policy frame-ancestors directive + FilterHolder cspFilter = new FilterHolder(new ContentSecurityPolicyFilter()); Review comment: This pattern seems like it could be abstracted to a single method which accepts a `Class<? extends Filter> clazz` and a `String path` and be called 4 times (iterate over a list and use a static path). This way future callers don't need to explicitly set the `DispatcherType` values, which was a problem before. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services