Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

X-Frame-Options and CSP HTTP Headers

Alessandro Casella
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 18, 2023

If our public status page is tested against clickjacking it results vulnerable to this kind of attack, due to the lack of X-Frame-Options and CSP HTTP headers. Is there a way to set X-Frame-Options and CSP in HTTP response headers? 

1 answer

1 accepted

1 vote
Answer accepted
Abraham Musalem
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 19, 2023

Hi @Alessandro Casella ,

Thanks for reaching out about this. We do have a feature request for this open right now: STATUS-96. 

My engineering team is gathering interest on it and might decide to implement it soon. Feel free to reach out via support.atlassian.com if you want more information. 

Best, 
- Abraham 

Dave Ireland
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 19, 2023

Please add this feature.  Our site scores a "D" on securityheaders.com and drags down our bitsight rating.

Thanks

Dave

Mohamed B_ L_
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 16, 2023

Please add those missing HTTP headers, such as X-Frame and CSP , they are strong OWASP requirements and a good practice in ISO/IEC27001, NIST,.. 

Like # people like this
William Nuss
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 25, 2024

Please add those missing HTTP headers. This is becoming a significant issue with 3rd party risk assessment, impacting the cost of cyber insurance, and the willingness of customers to engage.  It seems trivial, but the tools in the space to assess 3rd party risk are generally based on sampling of available resources and then an overall assessment made based on this sampling. While this may not seem fair, it is becoming the overall approach in this space.   

By using statuspage we in essence our reducing our cyber security rating and potentially increasing our cyber insurance costs.

 

Needed headers:

  • Cache-Control
  • Content-Security-Policy
  • Expires
  • HTTP Strict-Transport-Security
  • X-Content-Type-Options
Gabriele Biagiotti
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 24, 2024

Hello @Abraham Musalem ,

I'm the user who requested this feature some months ago.

Are there any progress about STATUS-96? Our customer security team is asking news about that :)

Regards and thanks for the support,

Gabriele

William Nuss
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 24, 2024

Atlassian responded to a support request I made on April 26th and told me that they currently cannot enable these headers because it may or would break the ability of customers to customize their statuspages. 

They once again said they will bring this to the attention of the engineering team to determine where it fits on their product roadmap.

I explained to them the importance of this seemingly insignificant requests impact on cyber insurance due to the impact of 3rd party cyber risk scoring the lack of this feature causes.  I do understand the problem their product team faces balancing a seemingly ridiculous/trivial feature request, but in today's world ignoring something like this has real world consequences.

We are currently investigating alternatives to statuspage - primarily because the impact these missing headers have on our public cyber security rating.  The associated cost of insurance, friction in 3rd party risk assessments, and wasted time in explaining why we accept this risk is not worth the value gained by using the product.  Especially since there are hungry competitors in this space. 

Like Gabriele Biagiotti likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events