How to enable and configure HTTP Strict Transport Security (HSTS) response header on Jira
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
According to HTTP Strict Transport Security (HSTS) RFC (RFC 6797), HSTS is a mechanism for web sites to tell browsers that they should only be accessible over secure connections (HTTPS).
This is declared through the
Strict-Transport-Security HTTP response header.
On the following Jira Software versions, the HSTS response header is enabled by default for all pages.
For previous versions you need to either configure a reverse proxy (or load balancer) to send the HSTS response header, or to configure it in Tomcat.
If you would like to configure it directly on Tomcat, refer to the steps below.
Enabling HSTS response headers on Tomcat
- Edit the <Jira Install folder>/atlassian-jira/WEB-INF/web.xml file.
Search for the following filter definition.
<filter> <filter-name>security</filter-name> <filter-class>com.atlassian.jira.security.JiraSecurityFilter</filter-class> </filter>
Add the following filter after it. To know more about this filter check the Tomcat documentation.
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <async-supported>true</async-supported> </filter
Still on the same file, search for the following filter mapping.
<filter-mapping> <filter-name>security</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <!-- we want security to be applied after urlrewrites, for example --> </filter-mapping>
Add the following mapping after it.
<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>
- Save the file and restart Jira so the modifications are applied.
- If you are running Jira Data Center, then make sure to apply the same steps on all nodes of the cluster.
Configuring HSTS on latest versions
For those versions of Jira with HSTS enabled by default, you don't need to modify anything on the Tomcat configuration files.
Configuration related to HSTS is managed through JVM startup options as detailed below.
Changes to these properties require a restart of the JVM.
|Property name||Default value||Description|
|If HSTS response headers should be disabled.|
|If HSTS preload feature should be enabled.|
See https://hstspreload.org/ for more details.
|If the HSTS rule should be applied to all of the subdomains.|
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
HTTP Strict Transport Security on Wikipedia
HTTP Strict Transport Security on IETF
Strict-Transport-Security on MDN
HTTP Header Security Filter on Apache Tomcat 8 Configuration Reference