Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Do the latest WIKI/JIRA versions utilize the HTTP Security Headers

Lloyd Chandler
Lloyd Chandler April 4, 2018

Qualys flags as 11827.

 

Apache: Header always append X-Frame-Options SAMEORIGIN
nginx: add_header X-Frame-Options SAMEORIGIN;
HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
X-XSS-Protection:
Apache: Header always set X-XSS-Protection "1; mode=block"
PHP: header("X-XSS-Protection: 1; mode=block");
X-Content-Type-Options:
Apache: Header always set X-Content-Type-Options: nosniff

Answer
Watch
Like Be the first to like this
1271 views

2 answers

0 votes
Shaun S
Shaun S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 5, 2018

The X-FRAME-OPTIONS and Content Security Policy headers were introduced in JIRA 7.6.0 (see JRASERVER-25143). These were also introduced in Confluence 5.8.15 (see CONFSERVER-22952). If you're serving your applications behind a reverse proxy you can configure the headers on that level without needing to upgrade JIRA.  The JIRA feature request I linked to includes instructions for Apache.  If users are accessing JIRA directly, upgrading to 7.6.0 should do the trick.

View More Comments
Lloyd Chandler
Lloyd Chandler April 5, 2018

Odd- we are being flagged on port 8443, which is our Confluence port - and we are on 6.5.0 and the security headers are not present.  Not understanding what is wrong here.  We are not using any reverse proxy.

Like
Shaun S
Shaun S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 6, 2018

If you inspect the requests using something like Chrome's built in dev tool, you should be able to determine if the security headers are present. Any one of the requests in the list will contain them if they are present. I've attached a screenshot for reference. 

If you're seeing those headers present, I suspect something is triggering a false positive.

 

Example.png

 

Like
Lloyd Chandler
Lloyd Chandler April 6, 2018

Just loaded one of the pages and went into Dev tools - My response headers do NOT show any of the security headers - so something is wrong:

 

This is all I see:

  1. Content-Type: application/json
  2. Date: Fri, 06 Apr 2018 21:27:36 GMT
  3. Server: Apache-Coyote/1.1
  4. X-ASEN: SEN-1000
Like
Lloyd Chandler
Lloyd Chandler April 6, 2018

Odd, it seems to change for any given page - yet still not all are showing. Loaded a different page and part of the sources showed this in response headers, but only one of the 3 required headers:

 

  1. Cache-Control: no-cache
  2. Content-Type: application/json
  3. Date: Fri, 06 Apr 2018 21:29:30 GMT
  4. Server: Apache-Coyote/1.1
  5. Transfer-Encoding: chunked
  6. X-ASEN: SEN-1000
  7. X-AUSERNAME: user
  8. X-Confluence-Cluster-Node: 12345
  9. X-Content-Type-Options: nosniff
  10. X-Seraph-LoginReason: OK
Like
Reply
0 votes
Shaun S
Shaun S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 5, 2018

Hi Lloyd,


The headers you provided are all used by default in the latest versions JIRA and Confluence.  Did the Qualys report provide you the security header that was detected missing from the request?

View More Comments
Lloyd Chandler
Lloyd Chandler April 5, 2018

It stated they are all missing - but we are not using the latest versions of either JIRA or Confluence - so what versions did Atlassian change to start using these?  We are at 6.5.0 on confluence and 7.5.2 on JIRA

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events