How to set X-Frame-Options in Fisheye / Crucible
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Customers may have to set the HTTP header X-Frame-Options SAMEORIGIN in Fisheye / Crucible and may think this is configurable in Jetty application server side of things.
Environment
< 4.0
Cause
Customers may want to set this HTTP header in order to prevent Clickjacking vulnerability.
Solution
Starting with Fisheye/Crucible 4.0, the X-Frame-Options header settings have a default value of SAMEORIGIN. If you need to modify this value, please be aware that the HTTP headers are not adjustable directly within Fisheye/Crucible. Instead, adjustments can be made at the proxy level, and the proxy settings need to be configured in Fisheye web server afterwards.
How to configure the header at proxy level depends on which proxy solution is being used. Below are implementation examples for Apache HTTP Server and Nginx:
Apache HTTP Server:
- Edit Apache configuration file based on your operating system. The configuration file can be found here:
Debian based systems:
/etc/apache2/conf-enabled/security.conf
RedHat based systems:/etc/httpd/conf/httpd.conf Now add one of the following entry to file so as to allow for Same Origin:
Header set X-Frame-Options: "SAMEORIGIN"Save the configuration file and restart Apache service to apply changes.
Nginx:
- Go to where Nginx is installed and then a
conffolder - Take a backup before modifying
Add the following parameter in
nginx.confunderserversectionadd_header X-Frame-Options "SAMEORIGIN";- Restart Nginx webserver