How to set X-Frame-Options in Fisheye / Crucible

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Customers may have to set the HTTP header X-Frame-Options  SAMEORIGIN  in Fisheye / Crucible and may think this is configurable in Jetty application server side of things.

Environment

4.8.6

Cause

Customers may want to set this HTTP header in order to prevent Clickjacking vulnerability.

Solution

HTTP headers are not configurable directly in Fisheye / Crucible, but at proxy level instead, and the proxy settings need to be configured in Fisheye web server afterwards.

How to configure the header at proxy level depends on which proxy solution is being used. Below are implementation examples for Apache HTTP Server and Nginx:

Apache HTTP Server:

  1. Edit Apache configuration file based on your operating system. The configuration file can be found here:

    Debian based systems: /etc/apache2/conf-enabled/security.conf 
    RedHat based systems: /etc/httpd/conf/httpd.conf 

  2. Now add one of the following entry to file so as to allow for Same Origin:

    Header set X-Frame-Options: "SAMEORIGIN"
  3. Save the configuration file and restart Apache service to apply changes.

Nginx:

  1. Go to where Nginx is installed and then a conf folder
  2. Take a backup before modifying
  3. Add the following parameter in nginx.conf under server section

    add_header X-Frame-Options "SAMEORIGIN";
  4. Restart Nginx webserver

Last modified on Mar 27, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.