How to configure JIRA server applications for Security Best Practices

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible


This 'How to' guide gives instructions on how to setup JIRA server applications for security best practices. This list is not exhaustive but it shows some of the basic or common practices.


  1. Configure JIRA behind a reverse-proxy using SSL as per either of the following:
    1. Configure Jira to run behind a NGINX reverse proxy
      1. You can then use NGINX features to further increase security. Example:
    2. Integrating JIRA with Apache using SSL
      1. You can then use Apache features to further increase security. Example:
  2. Ensure the additional config is setup as detailed in
  3. Optional - may be required by security policy to prevent 'Clickjacking'. Add the X-Frame-Options header as per JRA-25143 - Getting issue details... STATUS - this may, however, break things.
  4. Test the SSL with a SSL test suite, such as the one from Qualys SSL Labs and correct any problems.
  5. Setup a firewall.
  6. Configure automatic security updates.
  7. Subscribe to the security system mailing list of your operating system for security alerts.
  8. If using Linux, configure SSH to use public key authentication only and enable Fail2Ban.
  9. Update JIRA and the operating system regularly.
  10. Ensure that files in Jira Home directory and Jira Installation directory are not readable by everyone. Some files may contain sensitive information (eg. dbconfig.xml, attachments, etc)
  11. Ensure JIRA is run as a user that is not root.

Additionally, if using AppArmor there are some available, unsupported, profiles that can be installed as per

Last modified on Aug 24, 2022

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.