X-Frame-Options or Content-Security-Policy

Michael Golla February 24, 2017

A vulnerability scan showed that the JIRA Web server does not set an X-Frame-Options or Content-Security-Policy 'frame-ancestors' respose header in all content responses.

 

The solution was to return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.

 

This is way over my head. Is there something I can do to address this? I have seen others make adjustments to the web.xml file, but the other suggestions don't seem to apply to JIRA Software Server (v7.3)

2 answers

1 vote
Michael Golla March 27, 2017

Ben, thank you for replying. I ended up finding a solution here:

https://www.keycdn.com/blog/x-frame-options/

Matthew Garrett November 7, 2017

Can you provide more details? the page you linked mostly refers to Apache, not Tomcat. I'm running into this same finding on our Jira and so far I've found no solution to CSP for tomcat.

NCATS LAB November 9, 2017

@Matthew, you may want to watch this ticket:
JRASERVER-25143

Matthew Garrett November 9, 2017

This is related to https in apache, the issue I'm running into is offering up the Content-Security-Policy in http which is provided by tomcat, and according to everything I've seen so far, CSP is not provided by tomcat.

NCATS LAB November 9, 2017

Check out Manuel's comment (7th down). The overall ticket is misleading. It seems that, right now, the best solution is to use Apache in a reverse proxy. JIRA, oobe does not include this, nor does its documentation. Their solution is to use Tomcat connectors for https. The ticket looks like it is addressing existing Apache issues with JIRA, but I think they are trying to either implement it, or harden Tomcat. Not really sure where they are taking it.

0 votes
BenP
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 27, 2017

Running into similar issues with JIRA Capture. Prob better to log as support request.

NCATS LAB November 9, 2017

you may want to watch this ticket:
JRASERVER-25143

Suggest an answer

Log in or Sign up to answer