Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Removing the About JIRA information until a user has logged in

Rich Wolverton
Rich Wolverton
Contributor
September 16, 2020

Can we turn off the About JIRA information until a user has logged in?

It has been identified as a potential security risk to display information about our JIRA site until a user has logged in. Is there a way to remove it from the login page. 

Answer
Watch
Like Be the first to like this
377 views

1 answer

0 votes
Florian
Florian
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 16, 2020

Hi Rich,

you can do it in the file system. There is a jar file that can be unpacked. The you have to modify the content and pack it again. Then pray that you did not break anything and restart Jira. With the next update you have to repeat it. So basically this is not a good idea for a production environment. 

Better you place your server behind a web application firewall that hides your Jira behind a login page. We use SOPHOS UTM and it works well. There are two drawbacks: It is hard to find consulting. We asked the ten largest Atlassian platinum partners in Germany and none of them was able to help for the setup. So we had to figure it out for ourself. Second drawback: Your users have to use the browser. The mobile apps on smartphones are unable to connect through the firewall. So we use the web application firewall for external partners. Internal users use VPN when they are on the road.  

Good luck

View More Comments
Florian
Florian
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 16, 2020

You can also do some cheap trick and add an announcement banner (system settings). The announcement banner can contain CSS and JavaScript to modify the rendered output. Of course this is works on the client side after the complete login page is transmitted. So this will only protect you from very poor hackers. 

Like
Rich Wolverton
Rich Wolverton
Contributor
September 16, 2020

Thanks Florian. We are starting to use the Mobile app so putting JIRA behind another firewall is probably a non starter. It just seems a little callous  on Atlassian's to publicly provide version data for the core application software. 

Like
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 12, 2020

In case you have a reverse proxy in place you probably can block the whole "about" page for user access. This might apply to logged in users as well but in case the information on this page is neglectable for your users - it could be a valid opportunity.

Just for completeness: there is a Suggestion open with Atlassian to not show so much information to not logged-in users. Although your specific requirement is not listed there it could make sense to upvote the issue.

Cheers,
Daniel

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
8.8.0
TAGS
AUG Leaders

Atlassian Community Events

    See all events