How to enable and configure HTTP Strict Transport Security (HSTS) response header on Jira

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Summary

According to HTTP Strict Transport Security (HSTS) RFC (RFC 6797), HSTS is a mechanism for web sites to tell browsers that they should only be accessible over secure connections (HTTPS).
This is declared through the Strict-Transport-Security HTTP response header.

On the following Jira Software versions, the HSTS response header is enabled by default for all pages.


For previous versions you need to either configure a reverse proxy (or load balancer) to send the HSTS response header, or to configure it in Tomcat.

If using NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. On Apache you may use the mod_headers module to set response headers.

If you would like to configure it directly on Tomcat, refer to the steps below.

Solution

Enabling HSTS response headers on Tomcat

  1. Edit the <Jira Install folder>/atlassian-jira/WEB-INF/web.xml file.
  2. Search for the following filter definition.

        <filter>
            <filter-name>security</filter-name>
            <filter-class>com.atlassian.jira.security.JiraSecurityFilter</filter-class>
        </filter>
  3. Add the following filter after it. To know more about this filter check the Tomcat documentation.

        <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
            <init-param>
                <param-name>hstsEnabled</param-name>
                <param-value>true</param-value>
            </init-param> 
            <init-param>
                <param-name>hstsMaxAgeSeconds</param-name>
                <param-value>31536000</param-value>
            </init-param>
            <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>
            </init-param>
            <async-supported>true</async-supported>
        </filter
  4. Still on the same file, search for the following filter mapping.

        <filter-mapping>
            <filter-name>security</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
            <dispatcher>FORWARD</dispatcher> <!-- we want security to be applied after urlrewrites, for example -->
        </filter-mapping>
  5. Add the following mapping after it.

        <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
            <dispatcher>FORWARD</dispatcher>
        </filter-mapping>
  6. Save the file and restart Jira so the modifications are applied.
    • If you are running Jira Data Center, then make sure to apply the same steps on all nodes of the cluster.


Configuring HSTS on latest versions

For those versions of Jira with HSTS enabled by default, you don't need to modify anything on the Tomcat configuration files.
Configuration related to HSTS is managed through JVM startup options as detailed below.
Changes to these properties require a restart of the JVM.


Property nameDefault valueDescription
com.atlassian.jira.strict.transport.security.disabledfalseIf HSTS response headers should be disabled.
com.atlassian.jira.strict.transport.security.preload.enabledfalseIf HSTS preload feature should be enabled.
See https://hstspreload.org/ for more details.
com.atlassian.jira.strict.transport.security.include.subdomains.enabledfalseIf the HSTS rule should be applied to all of the subdomains.
com.atlassian.jira.strict.transport.security.max.age31536000

The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
Defaults to 1 year.


See Also

HTTP Strict Transport Security on Wikipedia

HTTP Strict Transport Security on IETF

Strict-Transport-Security on MDN

HTTP Header Security Filter on Apache Tomcat 8 Configuration Reference



Last modified on Apr 5, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.