X-Frame-Options or Content-Security-Policy

A vulnerability scan showed that the JIRA Web server does not set an X-Frame-Options or Content-Security-Policy 'frame-ancestors' respose header in all content responses.

 

The solution was to return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.

 

This is way over my head. Is there something I can do to address this? I have seen others make adjustments to the web.xml file, but the other suggestions don't seem to apply to JIRA Software Server (v7.3)

2 answers

Ben, thank you for replying. I ended up finding a solution here:

https://www.keycdn.com/blog/x-frame-options/

Can you provide more details? the page you linked mostly refers to Apache, not Tomcat. I'm running into this same finding on our Jira and so far I've found no solution to CSP for tomcat.

This is related to https in apache, the issue I'm running into is offering up the Content-Security-Policy in http which is provided by tomcat, and according to everything I've seen so far, CSP is not provided by tomcat.

Check out Manuel's comment (7th down). The overall ticket is misleading. It seems that, right now, the best solution is to use Apache in a reverse proxy. JIRA, oobe does not include this, nor does its documentation. Their solution is to use Tomcat connectors for https. The ticket looks like it is addressing existing Apache issues with JIRA, but I think they are trying to either implement it, or harden Tomcat. Not really sure where they are taking it.

Running into similar issues with JIRA Capture. Prob better to log as support request.

you may want to watch this ticket:
JRASERVER-25143

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,968 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot