The NiFi Web Security Configuration includes a custom CORS Configuration Source that disallows HTTP POST requests for Template Uploads. The works as expected with direct access to the NiFi UI, but causes issues when attempting to upload a template to NiFi through a reverse proxy.
When a web browser sends a template upload request that includes an unexpected Origin header, the Spring CORS Filter returns HTTP 403 Forbidden with a response body containing the message Invalid CORS Request. NIFI-6080 describes a workaround that involves setting a different Origin header. The current approach as implemented in
NIFI-5595 should be evaluated for potential improvements to avoid this behavior when running NiFi with a reverse proxy.