X-Frame-Options or Content-Security-Policy

A vulnerability scan showed that the JIRA Web server does not set an X-Frame-Options or Content-Security-Policy 'frame-ancestors' respose header in all content responses.

 

The solution was to return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.

 

This is way over my head. Is there something I can do to address this? I have seen others make adjustments to the web.xml file, but the other suggestions don't seem to apply to JIRA Software Server (v7.3)

2 answers

Ben, thank you for replying. I ended up finding a solution here:

https://www.keycdn.com/blog/x-frame-options/

Can you provide more details? the page you linked mostly refers to Apache, not Tomcat. I'm running into this same finding on our Jira and so far I've found no solution to CSP for tomcat.

@Matthew, you may want to watch this ticket:
JRASERVER-25143

This is related to https in apache, the issue I'm running into is offering up the Content-Security-Policy in http which is provided by tomcat, and according to everything I've seen so far, CSP is not provided by tomcat.

Check out Manuel's comment (7th down). The overall ticket is misleading. It seems that, right now, the best solution is to use Apache in a reverse proxy. JIRA, oobe does not include this, nor does its documentation. Their solution is to use Tomcat connectors for https. The ticket looks like it is addressing existing Apache issues with JIRA, but I think they are trying to either implement it, or harden Tomcat. Not really sure where they are taking it.

Running into similar issues with JIRA Capture. Prob better to log as support request.

you may want to watch this ticket:
JRASERVER-25143

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Feb 13, 2019 in Jira

Make your Atlassian Cloud products more secure: our NEW admin security guide

Hey admins! I’m Dave, Principal Product Manager here at Atlassian working on our cloud platform and security products. Cloud security is a moving target. As you adopt more products, employees consta...

605 views 0 12
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you