How do I enable HSTS on Bamboo

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

If your organization has a requirement for HTTP Strict Transport Security (HSTS) and needs to be implemented on Bamboo. Additional security headers are normally added when using a reverse proxy looking to offload the Application server from that operation. If using NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. On Apache, you may use the mod_headers module to set response headers.

This article covers the implementation of HSTS headers directly on the Tomcat version bundled with Bamboo.

HSTS definition should be configured at the Application level. I.e. <BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml.

Changes to Tomcat's default conf/web.xml may not be reflected correctly during Bamboo runtime.

On recent versions of Bamboo, the httpHeaderSecurity stanza sample codes may not be available by default on the Application's web.xml file. If that's the case, add the provided code as the first definition of the Filter Definitions or Filter Mappings blocks in the web.xml file, accordingly.

Solution

  1. Secure Bamboo using SSL - HSTS will not work on non-SSL connections, hence it is necessary to configure Bamboo to listen to SSL
  2. Make a backup copy of your current web.xml in <BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml
  3. Search for the following filter definition:

    security <filter>
      <filter>
        <filter-name>security</filter-name>
        <filter-class>com.atlassian.seraph.filter.SecurityFilter</filter-class>
      </filter>
  4. Add the following lines to the httpHeaderSecurity <filter> stanza in the web.xml file immediately after the security filter:

    httpHeaderSecurity <filter>
      <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>hstsEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
        </init-param>
        <init-param>
          <param-name>hstsIncludeSubDomains</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>SAMEORIGIN</param-value>
        </init-param>
      </filter>
  5. Still, on the same file, search for the following filter mapping:

    security <filter-mapping>
      <filter-mapping>
        <filter-name>security</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
      </filter-mapping>
  6. Add the following lines to the httpHeaderSecurity <filter-mapping> stanza in the web.xml file immediately after the security filter mapping:

    httpHeaderSecurity <filter-mapping>
      <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
      </filter-mapping>
  7. Restart Bamboo

Validation

To test if the configuration change is working, look for the "Strict-Transport-Security" string in the HTTP headers. This can be done in several ways. One way is to capture the HTTP traffic in a HAR file and look for it in the headers. Another way is to use curl. Here is an example command and response:

$ curl -s -k -D- https://<Bamboo_URL>:<https_port> | grep -i Strict
Strict-Transport-Security: max-age=31536000;includeSubDomains

If Bamboo does not start after this change, revert to the original copy of your web.xml file, or the original provided by the install as in Cannot start Bamboo due to invalid web.xml file.

Last modified on Oct 13, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.