How to enable and configure HTTP Strict Transport Security (HSTS) response header on Jira

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問


プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

要約

According to HTTP Strict Transport Security (HSTS) RFC (RFC 6797), HSTS is a mechanism for web sites to tell browsers that they should only be accessible over secure connections (HTTPS).
This is declared through the Strict-Transport-Security HTTP response header.

On the following Jira Software versions, the HSTS response header is enabled by default for all pages.


For previous versions you need to either configure a reverse proxy (or load balancer) to send the HSTS response header, or to configure it in Tomcat.

If using NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. On Apache you may use the mod_headers module to set response headers.

If you would like to configure it directly on Tomcat, refer to the steps below.

ソリューション

Enabling HSTS response headers on Tomcat

  1. Edit the <Jira Install folder>/atlassian-jira/WEB-INF/web.xml file.

  2. Search for the following filter definition.

        <filter>
            <filter-name>security</filter-name>
            <filter-class>com.atlassian.jira.security.JiraSecurityFilter</filter-class>
        </filter>
  3. Add the following filter after it. To know more about this filter check the Tomcat documentation.

        <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    		<async-supported>true</async-supported>
            <init-param>
                <param-name>hstsEnabled</param-name>
                <param-value>true</param-value>
            </init-param> 
            <init-param>
                <param-name>hstsMaxAgeSeconds</param-name>
                <param-value>31536000</param-value>
            </init-param>
            <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>
            </init-param>
        </filter>
    (warning) If Issue Collector is being used in your environment, then please use the following filter instead:
        <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    		<async-supported>true</async-supported>
            <init-param>
                <param-name>hstsEnabled</param-name>
                <param-value>true</param-value>
            </init-param> 
            <init-param>
                <param-name>hstsMaxAgeSeconds</param-name>
                <param-value>31536000</param-value>
            </init-param>
            <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>ALLOW-FROM</param-value>
            </init-param>
            <init-param>
              <param-name>antiClickJackingUri</param-name>
              <param-value>https://<Jira Base URL>/*</param-value>
            </init-param>
        </filter>


  4. Still, on the same file, search for the following filter mapping.

        <filter-mapping>
            <filter-name>security</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
            <dispatcher>FORWARD</dispatcher> <!-- we want security to be applied after urlrewrites, for example -->
        </filter-mapping>


  5. Add the following mapping after it.

        <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
            <dispatcher>FORWARD</dispatcher>
        </filter-mapping>


  6. Save the file and restart Jira so the modifications are applied.
    (warning) If you are running Jira Data Center, then make sure to apply the same steps on all nodes of the cluster.


Configuring HSTS on latest versions

For those versions of Jira with HSTS enabled by default, you don't need to modify anything on the Tomcat configuration files.
Configuration related to HSTS is managed through JVM startup options as detailed below.
Changes to these properties require a restart of the JVM.

プロパティ名既定値説明
com.atlassian.jira.strict.transport.security.disabledfalseIf HSTS response headers should be disabled.
com.atlassian.jira.strict.transport.security.preload.enabledfalseIf HSTS preload feature should be enabled.
See https://hstspreload.org/ for more details.
com.atlassian.jira.strict.transport.security.include.subdomains.enabledfalseIf the HSTS rule should be applied to all of the subdomains.
com.atlassian.jira.strict.transport.security.max.age31536000

The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
Defaults to 1 year.

Client-side setup

Whenever making changes to HSTS configuration, it's also necessary to refresh the information stored for the Jira domain (Base URL) on users browsers:

Chrome

  1. Access chrome://net-internals/#hsts from the browser

  2. Enter the domain that you want to remove in the Delete domain security policies section and click add

  3. Try to access Jira again

Firefox

  1. Start by closing any open windows.
  2. Next, open your browsing history by clicking Ctrl + Shift + H.
  3. Navigate your way to the site that your wish to clear the HSTS settings.
  4. Right-click on the site and click on Forget About This Site

参考情報

HTTP Strict Transport Security on Wikipedia

HTTP Strict Transport Security on IETF

Strict-Transport-Security on MDN

HTTP Header Security Filter on Apache Tomcat 8 Configuration Reference



最終更新日: 2023 年 1 月 11 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.