Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).



Customers have reported that their security scanners have identified some missing HTTP headers from Connect REST API response. Specific headers that customers have asked about include:





Generally, it seems like they're using tools that are intended for Web Servers, rather than API servers, and the missing headers aren't actually signs of insecurity on Connect side.

For example, their tool might complain about a missing Content-Security-Policy: frame-ancestors header. However, since we're returning application/json data from an API server, rather than text/html data from a Web server, there will never be an HTML frame that could be improperly loaded.

We should provide a mechanism for them to make their scanners happy. We can't, in general, anticipate what specific headers their scanners will demand now, much less in the future, so we must make this mechanism configurable.  Also we don't foresee the requirement to set different headers for different paths or mime types (since these API servers only return application/json).

Public Interfaces

This proposal adds a new configuration property


Public Interfaces

There are no changes to existing public interfaces, but we will add new configuration options. We follow same pattern like configuring different Kafka listeners. We define a new property response.http.headers which defines the names of the header filters that will be configured. The default value for response.http.headers is empty string which means there are no header filters configured. We define a new prefix "response.http.headers.{name}.", then followed by a set of properties which define rules for header. The {name} will be one defined in response.http.headers. to customize HTTP response headers. The following section has detailed description.

Proposed Changes

Adding Properties

We will add a set of new properties in the org.apache.kafka.connect.runtime.WorkerConfig class. It will allow the REST server administrator to configure headers based on their security policies. We borrow and take advantage of the Jetty HeaderFilter class and use the same format of headerConfig, includedPaths, excludedPathsincludedMimeTypesexcludedMimeTypesincludedHttpMethods, and excludedHttpMethods init parameters as HeaderFilter. Please see two references for Jetty HeaderFilter.



Comma separated header config in format [action] [header]:[value]

Type: LIST

Valid Values: Values must use same format as headerConfig defined in


Description of Properties



Define a set of HTTP headers for the header filter defined by {name} which will be one of names defined in property response.http.headers.
Valid Values: See Detailed Explanation section.


It is comma separated values of included path specs applied to HTTP headers.
Valid Values: See path spec rules section.




It is comma separated values of excluded path specs applied to HTTP headers. 
Valid Values: See path spec rules section.


It is comma separated values of included mime types applied to HTTP headers
Valid Values: see


It is comma separated values of excluded mime types applied to HTTP headers.
Valid Values: see


Detailed Explanation for response.http.headers.{name}.header.config


[action] [header name]: [header value],
[action] can be one


of "set, add, setDate, or addDate" which specify an action


will perform on



  • set action is


  • same as


  • setHeader function in HttpServletResponse, it will set a response header with the given name and value. If the header had already been set, the new value overwrites the previous one.
  • add action is


  • same as


  • addHeader function in HttpServletResponse, it will add a new value to the header.


  • Responses headers could have multiple values.
  • setDate action is


  • same as setDateHeader function in HttpServletResponse. It will set


  • HTTP header


  • need date value. Such as "setDate Expires: 31540000000" which indicates the header will be expired approximately one year in the future.
  • addDate action is


  • same as


  • addDateHeader function in HttpServletResponse.  It will add a response header with the given name and date-value. Such as "addDate Last-Modified: 0" which indicates the Last-Modified date is same as current system date.

[header name]


 name of header defined in
[header value]


value for the header defined in We need


put double quotes around the value if the value contains commas


due to we use comma as separator for different headers. 

Path Spec Rules:

  • If the spec starts with ^, the spec is assumed to be a regex based path spec and will match with normal Java regex rules.
  • If the spec starts with /, the spec is assumed to be a Servlet url-pattern rules path spec for either an exact match or prefix based match.
  • If the spec starts with *., the spec is assumed to be a Servlet url-pattern rules path spec for a suffix based match.
  • All other syntaxes are unsupported.

Multiple Headers Configuration

We use Jetty HeaderFilter to implement HTTP response header configuration. We need support different rules applied to different response headers based on different resources. For most usage cases, one header should be sufficient. But we do provide flexible configuration for multiple headers usages.  

We define a prefix response.http.headers.{name}. to allow configure multiple configurations for different resources. The "{name}", for instance "connector1" in following example, will be used to uniquely identify a set of HTTP response headers applied to one resource under /connectors/connector1


Default Value: ""







"add Cache-Control:








 add X-XSS-Protection: 1; mode=block, add Strict-Transport-Security: max-age=31536000; includeSubDomains, add X-Content-Type-Options: nosniff

Output of Response Header:

< HTTP/1.1 200 OK
< Date: Sat, 07 Mar 2020 17:33:39 GMT
< Strict-Transport-Security: max-age=31536000;includeSubDomains
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Cache-Control: no-cache, no-store, must-revalidate
< Content-Type: application/json
< Vary: Accept-Encoding, User-Agent
< Content-Length: 136

Proposed Changes

Since we're using Jetty to serve this, we can take advantage of the Jetty HeaderFilter class to allow the configuration of these headers. We add configuration property response.http.headers.config in the org.apache.kafka.connect.runtime.WorkerConfig class and



update class .


 During initialization process,


 REST server will read all


header configurations from the


property response.http.headers.


config, and create a


FilterHolder with HeaderFilter class and add the




holder to the Servlet context handler




. We only need to provide a single HeaderFilter for the entire server, because that HeaderFilter can set as many headers as the customer needs. Both set and add action will add a header and value to the response header if the header is not already in the response. When the header is there, set action overwrites the existing value, whereas add action adds an additional value to the header value. So it is customer's applications and server administrator responsibility to manage headers configured and existing headers. 

The following is flow how this will be implemented: 

  • REST application load configuration file 
  • Application parse the property "response.http.headers.config" in configuration file using RestConfig if application based on rest-utils or using WorkerConfig if application is Kafka Connect
  • Application create FilterHolder with HeadFilter class.  
  • Application ServletContextHandler add the HeadFilter


protected void configureHttpResponsHeaderFilters(ServletContextHandler context) {
  String headersConfigs = extractHttpResponseHeaderConfig();
  FilterHolder headerFilterHolder = new FilterHolder(HeaderFilter.class);






















Compatibility, Deprecation, and Migration Plan

Since we just add a new property and the default value for new property is empty string, existing use cases and behavior will be unaffectedThis is a new feature that add HTTP headers based on configuration property response.http.headers.config. The default value for response.http.headers.config is empty, so it is backward compatible to old version.

Rejected Alternatives

Another implementation would be writing a customized filter extension to intercept and set HTTP response headers and we have to define same configuration property described in this proposal.  Ultimately the purpose of this


design will allow users to set HTTP response headers


. Using this alternative approach make implementation much complex and doesn't gain any benefits

Supporting multiple header filters add complexity to configuration properties and cause site administrator confusions on configuring REST server.  Most important thing is we do not see applicable customer scenarios at this time. One header filter is sufficient for all HTTP response headers based on existing customer application scenarios and concern.  We could expand existing implementation easily if customer need it in the future.  For instance, we could add multiple header filters by adding name of header filter between prefix response.http.headers and config such as response.http.headers.{name}.config. We still keep response.http.headers.config as default header filter and internally set name of header filter to default if there is nothing between the response.http.headers and config. 

Supporting other optional parameters, that are response.http.headers.included.paths,  response.http.headers.included.mime.types, response.http.headers.included.methods, response.http.headers.excluded.paths, response.http.headers.excluded.mime.types, response.http.headers.excluded.methods , don't add value based on existing customer complain about missing header in HTTP response headers. Customer will be happy as long as the headers they want in HTTP response header. This will simply configuration properties lot. We could easily add these optional parameters if customer need it in the future.  

Any response headers set with response.http.headers.config will be overridden by the application.