alopresto commented on a change in pull request #4125: NIFI-7153 Adds ContentLengthFilter and DoSFilter URL: https://github.com/apache/nifi/pull/4125#discussion_r390701556
########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java ########## @@ -590,11 +591,15 @@ private WebAppContext loadWar(final File warFile, final String contextPath, fina // add HTTP security headers to all responses final String ALL_PATHS = "/*"; - ArrayList<Class<? extends Filter>> filters = new ArrayList<>(Arrays.asList(XFrameOptionsFilter.class, ContentSecurityPolicyFilter.class, XSSProtectionFilter.class)); + ArrayList<Class<? extends Filter>> filters = new ArrayList<>(Arrays.asList( Review comment: I notice the max form content size is set to 600KB on line 590 above. If this is set, doesn't the `10 MB` / `100 MB` limit not apply because Jetty overrides it anyway? https://www.eclipse.org/jetty/documentation/current/setting-form-size.html >Jetty limits the amount of data that can post back from a browser or other client to the server. This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data. The default maximum size Jetty permits is 200000 bytes. You can change this default for a particular webapp, for all webapps on a particular Server instance, or all webapps within the same JVM. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services