Is there a way to change the HSTS header strict-transport-security?

Martin Dykes
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 20, 2022

Hi,

is there a way to change the strict-transport-security when using a custom domain for status page?

 

Thanks,

Martin

1 answer

1 accepted

0 votes
Answer accepted
John M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 20, 2022

Hi Martin,

There is no way to change the HTTP Strict-Transport-Security response header, as we do not provide direct access to it. 

henrik_wejdmark February 26, 2024

Hi,

can you please add this as a feature suggestion as lacking HSTS goes against best practice and does show up as an issue for SOC compliance.

//Cheers Henrik

Like sators likes this
John M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 26, 2024

Hi @henrik_wejdmark ,

We have STATUS-596 logged for the ability to customize the Statuspage HSTS headers.

henrik_wejdmark February 27, 2024

That's great that it's tracked, unfortunately STATUS-596 is not public so I can't see or watch it.

//Cheers Henrik

John M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 29, 2024

Hi @henrik_wejdmark ,

The Statuspage project is not public at this time so none of the issues from that project are available. It is possible that the project may be made public at some point for easier tracking. 

henrik_wejdmark February 29, 2024

I understand you need to filter which issues you show publicly, but Statuspage shows plenty public issues, unfortunately not STATUS-596.

See: https://jira.atlassian.com/projects/STATUS/issues/STATUS-729?filter=allopenissues 

//Cheers

      Henrik

John M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 29, 2024

Hi @henrik_wejdmark ,

You're right, I meant to say that the feature requests from Statuspage are not public, but the bugs are made public. Since STATUS-596 is a feature request, it wont show up until/unless there is a change to the visibility for feature requests. 

Eliot Cohen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 23, 2024

Hey @John M !

We just had this come up with one of our customers doing a security review of us as a vendor. Can you please add us/me as a customer on the feature request STATUS-596?

Thanks,

Eliot

John M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 23, 2024

Hi @Eliot Cohen ,

Sure, we can do that, however we need to link it to a support ticket with your customer information. If you could please open a Statuspage support ticket here:

https://support.atlassian.com/contact/#/

And just state that you would like to be added to STATUS-596, we can get that taken care of for you. 

ninad
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 2, 2024

@John M we have same issue, low HSTS max age keeps showing up on our security review. Will be raising a ticket above mentioning that we need and are waiting on STATUS-596. 

 

Just posting here as well in case something else is required. 

Like # people like this
ashish
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 4, 2024

Hey @John M

I have a similar issue.  Our site is getting flagged for HSTS max age and HSTS missing subdomain as the header reads "strict-transport-security: max-age=259200".   Ideally what we are looking for is Strict-Transport-Security: max-age=31536000; includeSubDomains and preload if possible.    

I can see that this issue has been open 2022 and current discussion from Feb 2024.  This doesn't  seems to be  a very complex change.  May I know why it is taking 10 months or more just to fix this as this seems to be a concern for many users for Atlassian .     


Like sators likes this
sators
Contributor
January 30, 2025

I also will throw my hat in the ring as this issue is flagging our Status Page as being less than secure for SOC2 purposes.  Please help!

 

Independent Validation via https://hstspreload.org/shows the asset does not adhere to HSTS best practices (Max-age directive is still shorter than best practices.)(Header is still missing includeSubDomains directive.). Please review https://support.securityscorecard.com/hc/en-us/articles/360058576372-Website-Does-Not-Implement-HSTS-Best-Practices.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events