It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Enabling HTTP Strict Transport Security (HSTS) for Jira 8.4.3

Hi all,

Kindly help with enabling this HSTS header for Jira 8.4.3.

Thanks,

Keerthy

1 answer

1 accepted

0 votes
Answer accepted

Hello Keerthy,

Thank you for reaching out.

Indeed, we don't have a documentation on how to enable the HSTS on Jira, however, we created a feature request with our development team to provide us with that:

Documentation Regarding HSTS Integration With JIRA 

Feel free to vote and watch the suggestion to increase its priority and also receive notifications about any updates.

For now, can you check if the workaround provided in the feature request works for you? These would be the steps to implement it:

  1. Modify JIRA_Install/conf/web.xml (where server.xml is also located)
  2. Find the section between:
    <!-- ================== Built In Filter Definitions ===================== -->
    

    and

    <!-- ==================== Built In Filter Mappings ====================== -->
    
  3. Add these lines to that section:
    <filter>
     <filter-name>httpHeaderSecurity</filter-name>
     <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
     <init-param>
      <param-name>hstsMaxAgeSeconds</param-name>
      <param-value>63072000</param-value>
     </init-param>
     <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
     </init-param>
     <async-supported>true</async-supported>
    </filter>
    <filter-mapping>
     <filter-name>httpHeaderSecurity</filter-name>
     <url-pattern>/*</url-pattern>
     <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    
  4. Restart JIRA

Let us know if this information helps.

Thank you Petter! It worked out perfectly :)

You are welcome, Keerthy!

Let us know if you face any other issues regarding this matter.

Hey Petter,

 

Should this also work for confluence? My company offer external documentation that we're trying to make more secure.

 

Thanks,

 

Joe

Hi,

 

I have added above file in my jira web.xml

 

after restarted but jira process is running not able to access from browser.

 

got one issue am not sure is it stoppig jira.errorq.PNG

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you