Security headers in JIRA

Still need help?

The Atlassian Community is here for you.

Ask the community

Purpose

To prevent clickjacking, JIRA adds the X-Frame-Options and Content-Security-Policy security headers to each HTTP response. The headers block the content from being embedded in iframes, which might also affect pages that you actually wanted to be displayed this way. If you don't like this change, you can create a list of paths to be excluded from this protection, or disable the security headers entirely.

Security headers

The following headers have been introduced with JIRA 7.6. You can read the original bug report here:  JRASERVER-25143 - Getting issue details... STATUS

Header Value
X-Frame-Options SAMEORIGIN
Content-Security-Policy frame-ancestors 'self'

Solution

Excluding paths

To create a list of paths excluded from this protection, use the com.atlassian.jira.clickjacking.protection.exclude system property and separate the paths with a comma, for example:

-Dcom.atlassian.jira.clickjacking.protection.exclude=/rest/my-plugin/1.0/dashboard,/rest/collectors/1.0/template/form/

For more info, see Setting properties and options.

Determining which paths to exclude

The easiest option is to examine the access logs from Jira. For example, if you have a report in JIRA and want to display it in Confluence:

  • Add an iframe with the JIRA report into Confluence and reload the page
  • Confluence will attempt to make several requests to JIRA for the information needed to display the report. Due to the security headers, the report will fail to load.
  • Check Jira's access logs to see what URI endpoints were requested by Confluence.  These are the paths you want to exclude.

Excluding paths in plugins

JIRA 7.7, or later.

If you develop plugins for JIRA and use iframes on purpose, you can also exclude paths in a JIRA instance that uses your plugin.

  • Add the paths to be excluded by adding the following code to the atlassian-plugin.xml file.

    <clickjacking-http-headers-excluded-paths key=“some-unique-key-for-this-module”>
    
       <path>/plugins/servlet/reference-servlet-with-filter</path>
    
       <path>/plugins/servlet/other-servlet</path>
    
    </clickjacking-http-headers-excluded-paths>

    For more info, see this Java doc.

Disabling security headers

To disable this protection, set the systemcom.atlassian.jira.clickjacking.protection.disabled property to true.

Steps to Disable security header

  1. From <jira-install>/bin open setenv.bat (for Windows) or setenv.sh (for Linux).
  2. Find the section set JVM_SUPPORT_RECOMMENDED_ARGS=
  3. Add the following code into to the section "-Dcom.atlassian.jira.clickjacking.protection.disabled=true"
    1. The full argument should look as follows:

      set JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.atlassian.jira.clickjacking.protection.disabled=true"
  4. Restart JIRA to load the new argument.

(info) For more info, see Setting properties and options.


Description To prevent clickjacking, JIRA adds the X-Frame-Options and Content-Security-Policy security headers to each HTTP response. The headers block the content from being embedded in iframes, which might also affect pages that you actually wanted to be displayed this way. If you don't like this change, you can create a list of paths to be excluded from this protection, or disable the security headers entirely.
Product Jira
Platform Server
Last modified on Mar 14, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.