Configure Bamboo to use HttpOnly and secure cookie

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

説明

The seraph.bamboo cookie does not use the HttpOnly or secure attributes. This increases the impact from XSS and network based attacks. If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie’s value via an injected script. If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

推奨事項

To have bamboo set the respective cookies with the secure attribute in the configuration, simply configure tomcat as per http://tomcat.apache.org/tomcat-7.0-doc/config/http.html to include the following settings in the <BamboInstall>/conf/server.xml file:

secure="true" and scheme="https" 

e.g.

<Service name="Catalina">
	<Connector port="8085"
    	...
    	scheme="https" secure="true"
     	...
 	/>
</Service>

These options should be configured when Bamboo is configured to run behind a httpd which handles https for Bamboo, with Bamboo running http behind it.

 

 

最終更新日: 2014 年 1 月 13 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.