Qualys flags as 11827.
Apache: Header always append X-Frame-Options SAMEORIGIN
nginx: add_header X-Frame-Options SAMEORIGIN;
HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
X-XSS-Protection:
Apache: Header always set X-XSS-Protection "1; mode=block"
PHP: header("X-XSS-Protection: 1; mode=block");
X-Content-Type-Options:
Apache: Header always set X-Content-Type-Options: nosniff
The X-FRAME-OPTIONS and Content Security Policy headers were introduced in JIRA 7.6.0 (see JRASERVER-25143). These were also introduced in Confluence 5.8.15 (see CONFSERVER-22952). If you're serving your applications behind a reverse proxy you can configure the headers on that level without needing to upgrade JIRA. The JIRA feature request I linked to includes instructions for Apache. If users are accessing JIRA directly, upgrading to 7.6.0 should do the trick.
Odd- we are being flagged on port 8443, which is our Confluence port - and we are on 6.5.0 and the security headers are not present. Not understanding what is wrong here. We are not using any reverse proxy.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you inspect the requests using something like Chrome's built in dev tool, you should be able to determine if the security headers are present. Any one of the requests in the list will contain them if they are present. I've attached a screenshot for reference.
If you're seeing those headers present, I suspect something is triggering a false positive.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just loaded one of the pages and went into Dev tools - My response headers do NOT show any of the security headers - so something is wrong:
This is all I see:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Odd, it seems to change for any given page - yet still not all are showing. Loaded a different page and part of the sources showed this in response headers, but only one of the 3 required headers:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Lloyd,
The headers you provided are all used by default in the latest versions JIRA and Confluence. Did the Qualys report provide you the security header that was detected missing from the request?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It stated they are all missing - but we are not using the latest versions of either JIRA or Confluence - so what versions did Atlassian change to start using these? We are at 6.5.0 on confluence and 7.5.2 on JIRA
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.