Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Add HSTS to Bitbucket

Michael Slattery
Michael Slattery February 9, 2018

I've been working to try and enable HSTS on Bitbucket.

I was able to successfuly add it to the Tomcat configs for JIRA, Confluence, and SD (see link below) but no luck finding the Tomcat config/setup for Bitbucket.

https://www.netiq.com/communities/cool-solutions/hsts-for-tomcat/

Any suggestions?

TIA,

Mike

Answer
Watch
Like Be the first to like this
1723 views

1 answer

0 votes
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 9, 2018

Hi Michael! I've been discussing this with some of my colleagues and seems like from Bitbucket Server 5.x and up you're not able to configure tomcat directly, so the best bet is to have a proxy like Nginx in front of Bitbucket Server and enable HSTS there. You can have a look at HTTP strict transport security HSTS and Nginx for more info.

Hope that helps!

Ana

View More Comments
will martin
will martin February 9, 2018

I'm a little concerned here. Tomcat 7 and above support HSTS security on any and all responses. Its a plugin for tomcat. And it will replace any already on the response. So configuring this has nothing to do with bitbucket, does it? A BitBucketServer response is tunnelled *back* the way it comes right? Otherwise why use a servlet container at all? Maybe I don't understand the architecture, but I've never passed anything through tomcat send deliberately blocking the tomcat configuration.

Like
Michael Slattery
Michael Slattery February 12, 2018

Ana,

Thanks for the response, however, it seems the "Securing Bitbucket Server behind nginx using SSL" article still uses HTTP on the internal network.  This is still unacceptable for our clients security architecture. 

https://confluence.atlassian.com/bitbucketserver/securing-bitbucket-server-behind-nginx-using-ssl-776640112.html

Any chance you have details available securing bitbucket's internal communication as well?

Thanks,

Mike

Like
slyoldfox
slyoldfox
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 25, 2018

@Ana Retamal

Since Bitbucket5 is actually a spring boot based app now (yay!), does it not support the SecurityProperties inside bitbucket.properties?

I know most of the connector configuration can be modified with the server.* properties, but setting

security.headers.hsts=domain

yielded nothing (I am assuming you actually don't use ServerProperties or don't parse them completely).

Would be nice if this was supported?

It's documented in https://docs.spring.io/autorepo/docs/spring-boot/1.0.x/reference/html/common-application-properties.html

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events