How to enable and configure HTTP Strict Transport Security (HSTS) response header on Jira Server and Data Center
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
According to HTTP Strict Transport Security (HSTS) RFC (RFC 6797), HSTS is a mechanism for web sites to tell browsers that they should only be accessible over secure connections (HTTPS).
This is declared through the Strict-Transport-Security
HTTP response header.
On the following Jira Software versions, the HSTS response header is enabled by default for all pages.
For previous versions you need to either configure a reverse proxy (or load balancer) to send the HSTS response header, or to configure it in Tomcat.
If using NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. On Apache you may use the mod_headers module to set response headers.
If you would like to configure it directly on Tomcat, refer to the steps below.
Solution
Enabling HSTS response headers on Tomcat
- Edit the <Jira Install folder>/atlassian-jira/WEB-INF/web.xml file.
Search for the following filter definition.
<filter> <filter-name>security</filter-name> <filter-class>com.atlassian.jira.security.JiraSecurityFilter</filter-class> </filter>
Add the following filter after it. To know more about this filter check the Tomcat documentation.
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter>
If Issue Collector is being used in your environment, then please use the following filter instead:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>https://<Jira Base URL>/*</param-value> </init-param> </filter>
Still, on the same file, search for the following filter mapping.
<filter-mapping> <filter-name>security</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <!-- we want security to be applied after urlrewrites, for example --> </filter-mapping>
Add the following mapping after it.
<filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>
Save the file and restart Jira so the modifications are applied.
If you are running Jira Data Center, then make sure to apply the same steps on all nodes of the cluster.
Configuring HSTS on latest versions
For those versions of Jira with HSTS enabled by default, you don't need to modify anything on the Tomcat configuration files.
Configuration related to HSTS is managed through JVM startup options as detailed below.
Changes to these properties require a restart of the JVM.
Property name | Default value | Description |
---|---|---|
-Dcom.atlassian.jira.strict.transport.security.disabled | false | If HSTS response headers should be disabled. |
-Dcom.atlassian.jira.strict.transport.security.preload.enabled | false | If HSTS preload feature should be enabled. See https://hstspreload.org/ for more details. |
-Dcom.atlassian.jira.strict.transport.security.include.subdomains.enabled | false | If the HSTS rule should be applied to all of the subdomains. |
-Dcom.atlassian.jira.strict.transport.security.max.age | 31536000 | The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. |
Client-side setup
Whenever making changes to HSTS configuration, it's also necessary to refresh the information stored for the Jira domain (Base URL) on users browsers:
Chrome
Access chrome://net-internals/#hsts from the browser
Enter the domain that you want to remove in the Delete domain security policies section and click add
- Try to access Jira again
Firefox
- Start by closing any open windows.
- Next, open your browsing history by clicking Ctrl + Shift + H.
- Navigate your way to the site that your wish to clear the HSTS settings.
- Right-click on the site and click on Forget About This Site
See Also
HTTP Strict Transport Security on Wikipedia
HTTP Strict Transport Security on IETF
Strict-Transport-Security on MDN
HTTP Header Security Filter on Apache Tomcat 8 Configuration Reference