[GitHub] [nifi] exceptionfactory commented on a diff in pull request #6805: NIFI-10855 Add Documentation on CSRF Protection

[GitBox <gi...@apache.org>]

exceptionfactory commented on code in PR #6805:
URL: https://github.com/apache/nifi/pull/6805#discussion_r1056493896


##########
nifi-docs/src/main/asciidoc/administration-guide.adoc:
##########
@@ -582,6 +582,36 @@ The following settings can be configured in _nifi.properties_ to control JSON We
 |`nifi.security.user.jws.key.rotation.period` | JSON Web Signature Key Rotation Period defines how often the system generates a new RSA Key Pair, expressed as an ISO 8601 duration. The default is one hour: `PT1H`
 |==================================================================================================================================================
 
+[[csrf-protection]]
+=== Cross-Site Request Forgery Protection
+
+NiFi 1.15.0 introduced Cross-Site Request Forgery protection as part of user interface access based on session cookies.
+CSRF protection builds on a standard Spring Security Filter and implements the double submit cookie strategy. The
+implementation strategy relies on sending a random request token cookie at the beginning of the session, and requiring
+the JavaScript user interface to send the value in a corresponding request header. NiFi applies the `SameSite`

Review Comment:
   The word `JavaScript` could be omitted, but I included it as a pointer to the implementation. Other implementation strategies embed CSRF request tokens in hidden HTML form parameters, but the NiFi implementation uses a custom JavaScript handler for HTTP requests.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org