A vulnerability scan showed that the JIRA Web server does not set an X-Frame-Options or Content-Security-Policy 'frame-ancestors' respose header in all content responses.
The solution was to return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.
This is way over my head. Is there something I can do to address this? I have seen others make adjustments to the web.xml file, but the other suggestions don't seem to apply to JIRA Software Server (v7.3)
Check out Manuel's comment (7th down). The overall ticket is misleading. It seems that, right now, the best solution is to use Apache in a reverse proxy. JIRA, oobe does not include this, nor does its documentation. Their solution is to use Tomcat connectors for https. The ticket looks like it is addressing existing Apache issues with JIRA, but I think they are trying to either implement it, or harden Tomcat. Not really sure where they are taking it.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot