Configure Bamboo to use HttpOnly and secure cookie

Still need help?

The Atlassian Community is here for you.

Ask the community

Description

The seraph.bamboo cookie does not use the HttpOnly or secure attributes. This increases the impact from XSS and network based attacks. If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie’s value via an injected script. If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

Recommendation

To have bamboo set the respective cookies with the secure attribute in the configuration, simply configure tomcat as per http://tomcat.apache.org/tomcat-7.0-doc/config/http.html to include the following settings in the <BamboInstall>/conf/server.xml file:

secure="true" and scheme="https" 

e.g.

<Service name="Catalina">
	<Connector port="8085"
    	...
    	scheme="https" secure="true"
     	...
 	/>
</Service>

These options should be configured when Bamboo is configured to run behind a httpd which handles https for Bamboo, with Bamboo running http behind it.

 

 

Last modified on Jan 13, 2014

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.