If our public status page is tested against clickjacking it results vulnerable to this kind of attack, due to the lack of X-Frame-Options and CSP HTTP headers. Is there a way to set X-Frame-Options and CSP in HTTP response headers?
Hi @Alessandro Casella ,
Thanks for reaching out about this. We do have a feature request for this open right now: STATUS-96.
My engineering team is gathering interest on it and might decide to implement it soon. Feel free to reach out via support.atlassian.com if you want more information.
Best,
- Abraham
Please add this feature. Our site scores a "D" on securityheaders.com and drags down our bitsight rating.
Thanks
Dave
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please add those missing HTTP headers, such as X-Frame and CSP , they are strong OWASP requirements and a good practice in ISO/IEC27001, NIST,..
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please add those missing HTTP headers. This is becoming a significant issue with 3rd party risk assessment, impacting the cost of cyber insurance, and the willingness of customers to engage. It seems trivial, but the tools in the space to assess 3rd party risk are generally based on sampling of available resources and then an overall assessment made based on this sampling. While this may not seem fair, it is becoming the overall approach in this space.
By using statuspage we in essence our reducing our cyber security rating and potentially increasing our cyber insurance costs.
Needed headers:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Abraham Musalem ,
I'm the user who requested this feature some months ago.
Are there any progress about STATUS-96? Our customer security team is asking news about that :)
Regards and thanks for the support,
Gabriele
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Atlassian responded to a support request I made on April 26th and told me that they currently cannot enable these headers because it may or would break the ability of customers to customize their statuspages.
They once again said they will bring this to the attention of the engineering team to determine where it fits on their product roadmap.
I explained to them the importance of this seemingly insignificant requests impact on cyber insurance due to the impact of 3rd party cyber risk scoring the lack of this feature causes. I do understand the problem their product team faces balancing a seemingly ridiculous/trivial feature request, but in today's world ignoring something like this has real world consequences.
We are currently investigating alternatives to statuspage - primarily because the impact these missing headers have on our public cyber security rating. The associated cost of insurance, friction in 3rd party risk assessments, and wasted time in explaining why we accept this risk is not worth the value gained by using the product. Especially since there are hungry competitors in this space.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.